Compare text

Find the difference between two text files

Real-time diff

Unified diff

Collapse lines

Highlight change

Syntax highlighting

Tools

Diffchecker Desktop The most secure way to run Diffchecker. Get the Diffchecker Desktop app: your diffs never leave your computer!Get Desktop

Comparing sensitive data, confidential files or internal emails?

Most legal and privacy policies prohibit uploading sensitive data online. Diffchecker Desktop ensures your confidential information never leaves your computer. Work offline and compare documents securely.

Download Diffchecker Desktop Learn more

Wazuh Sigma rules

Created 7 months agoDiff never expires

41 removals

416 lines

39 additions

414 lines

<!--

Author: Brian Kellogg

Sigma: https://github.com/SigmaHQ/sigma

Wazuh: https://wazuh.com

All Sigma rules licensed under DRL: https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md

-->

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)JobAdd</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:JobAdd)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)atsvc</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:atsvc)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)ITaskSchedulerService</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ITaskSchedulerService)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)SchRpcEnableTask</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:SchRpcEnableTask)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)ITaskSchedulerService</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ITaskSchedulerService)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)SchRpcRegisterTask</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:SchRpcRegisterTask)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)ITaskSchedulerService</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ITaskSchedulerService)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)SchRpcRun</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:SchRpcRun)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)IWbemServices</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IWbemServices)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)ExecMethod</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:ExecMethod)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)IWbemServices</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IWbemServices)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)ExecMethodAsync</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:ExecMethodAsync)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)CreateServiceA</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:CreateServiceA)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)CreateServiceW</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:CreateServiceW)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)StartServiceA</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:StartServiceA)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1047</id>

<id>attack.t1053.002</id>

<id>attack.t1569.002</id>

</mitre>

<description>MITRE BZAR Indicators for Execution</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)StartServiceW</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:StartServiceW)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>

<mitre>

<id>attack.persistence</id>

<id>attack.t1547.004</id>

</mitre>

<description>MITRE BZAR Indicators for Persistence</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)spoolss</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:spoolss)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)RpcAddMonitor</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAddMonitor)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>

<mitre>

<id>attack.persistence</id>

<id>attack.t1547.004</id>

</mitre>

<description>MITRE BZAR Indicators for Persistence</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)spoolss</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:spoolss)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)RpcAddPrintProcessor</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAddPrintProcessor)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>

<mitre>

<id>attack.persistence</id>

<id>attack.t1547.004</id>

</mitre>

<description>MITRE BZAR Indicators for Persistence</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)IRemoteWinspool</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IRemoteWinspool)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)RpcAsyncAddMonitor</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAsyncAddMonitor)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>

<mitre>

<id>attack.persistence</id>

<id>attack.t1547.004</id>

</mitre>

<description>MITRE BZAR Indicators for Persistence</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)IRemoteWinspool</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IRemoteWinspool)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)RpcAsyncAddPrintProcessor</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAsyncAddPrintProcessor)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>

<mitre>

<id>attack.persistence</id>

<id>attack.t1547.004</id>

</mitre>

<description>MITRE BZAR Indicators for Persistence</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)ISecLogon</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ISecLogon)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)SeclCreateProcessWithLogonW</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:SeclCreateProcessWithLogonW)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>

<mitre>

<id>attack.persistence</id>

<id>attack.t1547.004</id>

</mitre>

<description>MITRE BZAR Indicators for Persistence</description>

<field name="data.endpoint" negate="no" type="pcre2">(?i)ISecLogon</field>

<field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ISecLogon)$</field>

<field name="data.operation" negate="no" type="pcre2">(?i)SeclCreateProcessWithLogonExW</field>

<field name="data.operation" negate="no" type="pcre2">(?i)^(?:SeclCreateProcessWithLogonExW)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml</info>

<!--Description: Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.

The usage of this RPC function should be rare if ever used at all.

Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.

View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'

-->

<mitre>

<id>attack.t1557.001</id>

<id>attack.t1187</id>

</mitre>

<description>Potential PetitPotam Attack Via EFS RPC Calls</description>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml</info>

<!--Description: Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).

The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

-->

<mitre>

<id>attack.execution</id>

</mitre>

<description>Possible PrintNightmare Print Driver Install</description>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml</info>

<mitre>

<id>attack.lateral_movement</id>

<id>attack.t1021.002</id>

</mitre>

<description>SMB Spoolss Name Piped Usage</description>

<group>zeek,smb_files,</group>

<field name="data.name" negate="no" type="pcre2">(?i)spoolss</field>

<field name="data.name" negate="no" type="pcre2">(?i)^(?:spoolss)$</field>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml</info>

<mitre>

<id>attack.command_and_control</id>

<id>attack.s0154</id>

</mitre>

<description>Default Cobalt Strike Certificate</description>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml</info>

<mitre>

<id>attack.execution</id>

<id>attack.t1569.002</id>

<id>attack.impact</id>

<id>attack.t1496</id>

</mitre>

<description>DNS Events Related To Mining Pools</description>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml</info>

<mitre>

<id>attack.command_and_control</id>

</mitre>

<description>New Kind of Network (NKN) Detection</description>

</rule>

<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml</info>

<!--Description: The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).

Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.

Although recently it has been used in DNSSec, the value be

Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.

Determine if multiple of these files were accessed

Saved diffs

Original text

Open file

<group name="sigma,">
    
    <rule id="900001" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)JobAdd</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)atsvc</field>
    </rule>
    <rule id="900002" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)ITaskSchedulerService</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)SchRpcEnableTask</field>
    </rule>
    <rule id="900003" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)ITaskSchedulerService</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)SchRpcRegisterTask</field>
    </rule>
    <rule id="900004" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)ITaskSchedulerService</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)SchRpcRun</field>
    </rule>
    <rule id="900005" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)IWbemServices</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)ExecMethod</field>
    </rule>
    <rule id="900006" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)IWbemServices</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)ExecMethodAsync</field>
    </rule>
    <rule id="900007" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)CreateServiceA</field>
    </rule>
    <rule id="900008" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)CreateServiceW</field>
    </rule>
    <rule id="900009" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)StartServiceA</field>
    </rule>
    <rule id="900010" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)svcctl</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)StartServiceW</field>
    </rule>
    <rule id="900011" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)spoolss</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)RpcAddMonitor</field>
    </rule>
    <rule id="900012" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)spoolss</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)RpcAddPrintProcessor</field>
    </rule>
    <rule id="900013" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)IRemoteWinspool</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)RpcAsyncAddMonitor</field>
    </rule>
    <rule id="900014" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)IRemoteWinspool</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)RpcAsyncAddPrintProcessor</field>
    </rule>
    <rule id="900015" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)ISecLogon</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)SeclCreateProcessWithLogonW</field>
    </rule>
    <rule id="900016" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)ISecLogon</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)SeclCreateProcessWithLogonExW</field>
    </rule>
    <rule id="900017" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1557.001</id>
            <id>attack.t1187</id>
        </mitre>
        <description>Potential PetitPotam Attack Via EFS RPC Calls</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:efs)</field>
    </rule>
    <rule id="900018" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>cve.2021.1678</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>Possible PrintNightmare Print Driver Install</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.operation" negate="no" type="pcre2">(?i)RpcAsyncInstallPrinterDriverFromPackage|RpcAsyncAddPrintProcessor|RpcAddPrintProcessor|RpcAddPrinterDriverEx|RpcAddPrinterDriver|RpcAsyncAddPrinterDriver</field>
    </rule>
    <rule id="900019" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>SMB Spoolss Name Piped Usage</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)(?:IPC\$)$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)spoolss</field>
    </rule>
    <rule id="900020" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.s0154</id>
        </mitre>
        <description>Default Cobalt Strike Certificate</description>
        <options>no_full_log</options>
        <group>zeek,x509,</group>
        <field name="data.certificate.serial" negate="no" type="pcre2">(?i)8BB00EE</field>
    </rule>
    <rule id="900021" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.impact</id>
            <id>attack.t1496</id>
        </mitre>
        <description>DNS Events Related To Mining Pools</description>
        <options>no_full_log</options>
        <group>dns,zeek,</group>
        <field name="data.query" negate="no" type="pcre2">(?i)(?:monerohash\.com|do\-dear\.com|xmrminerpro\.com|secumine\.net|xmrpool\.com|minexmr\.org|hashanywhere\.com|xmrget\.com|mininglottery\.eu|minergate\.com|moriaxmr\.com|multipooler\.com|moneropools\.com|xmrpool\.eu|coolmining\.club|supportxmr\.com|minexmr\.com|hashvault\.pro|xmrpool\.net|crypto\-pool\.fr|xmr\.pt|miner\.rocks|walpool\.com|herominers\.com|gntl\.co\.uk|semipool\.com|coinfoundry\.org|cryptoknight\.cc|fairhash\.org|baikalmine\.com|tubepool\.xyz|fairpool\.xyz|asiapool\.io|coinpoolit\.webhop\.me|nanopool\.org|moneropool\.com|miner\.center|prohash\.net|poolto\.be|cryptoescrow\.eu|monerominers\.net|cryptonotepool\.org|extrmepool\.org|webcoin\.me|kippo\.eu|hashinvest\.ws|monero\.farm|linux\-repository\-updates\.com|1gh\.com|dwarfpool\.com|hash\-to\-coins\.com|pool\-proxy\.com|hashfor\.cash|fairpool\.cloud|litecoinpool\.org|mineshaft\.ml|abcxyz\.stream|moneropool\.ru|cryptonotepool\.org\.uk|extremepool\.org|extremehash\.com|hashinvest\.net|unipool\.pro|crypto\-pools\.org|monero\.net|backup\-pool\.com|mooo\.com|freeyy\.me|cryptonight\.net|shscrypto\.net)$</field>
        <field name="data.answers" negate="yes" type="pcre2">(?i)127\.0\.0\.1</field>
        <field name="data.answers" negate="yes" type="pcre2">(?i)0\.0\.0\.0</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)true</field>
    </rule>
    <rule id="900022" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
        </mitre>
        <description>New Kind of Network (NKN) Detection</description>
        <options>no_full_log</options>
        <group>zeek,dns,</group>
        <field name="data.query" negate="no" type="pcre2">(?i)seed</field>
        <field name="data.query" negate="no" type="pcre2">(?i)\.nkn\.org</field>
    </rule>
    <rule id="900023" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1095</id>
            <id>attack.t1571</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Suspicious DNS Z Flag Bit Set</description>
        <options>no_full_log</options>
        <group>zeek,dns,</group>
        <field name="data.z" negate="yes" type="pcre2">(?i)0</field>
        <field name="data.query" negate="no" type="pcre2">(?i)\.</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.arpa)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.local)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.ultradns\.net)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.twtrdns\.net)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuredns\-prd\.info)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azure\-dns\.com)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuredns\-ff\.info)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuredns\-ff\.org)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuregov\-dns\.org)$</field>
        <field name="data.qtype_name" negate="yes" type="pcre2">(?i)ns</field>
        <field name="data.qtype_name" negate="yes" type="pcre2">(?i)mx</field>
        <field name="data.answers" negate="yes" type="pcre2">(?i)(?:\\+x00)$</field>
        <field name="data.dstport" negate="yes" type="pcre2">(?i)137</field>
        <field name="data.dstport" negate="yes" type="pcre2">(?i)138</field>
        <field name="data.dstport" negate="yes" type="pcre2">(?i)139</field>
    </rule>
    <rule id="900024" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>DNS TOR Proxies</description>
        <options>no_full_log</options>
        <group>dns,zeek,</group>
        <field name="data.query" negate="no" type="pcre2">(?i)tor2web\.org|tor2web\.com|torlink\.co|onion\.to|onion\.ink|onion\.cab|onion\.nu|onion\.link|onion\.it|onion\.city|onion\.direct|onion\.top|onion\.casa|onion\.plus|onion\.rip|onion\.dog|tor2web\.fi|tor2web\.blutmagie\.de|onion\.sh|onion\.lu|onion\.pet|t2w\.pw|tor2web\.ae\.org|tor2web\.io|tor2web\.xyz|onion\.lt|s1\.tor\-gateways\.de|s2\.tor\-gateways\.de|s3\.tor\-gateways\.de|s4\.tor\-gateways\.de|s5\.tor\-gateways\.de|hiddenservice\.net</field>
    </rule>
    <rule id="900025" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Executable from Webdav</description>
        <options>no_full_log</options>
        <group>zeek,http,</group>
        <field name="data.c-useragent" negate="no" type="pcre2">(?i)WebDAV</field>
        <field name="data.c-uri" negate="no" type="pcre2">(?i)webdav</field>
        <field name="data.resp_mime_types" negate="no" type="pcre2">(?i)dosexec</field>
        <field name="data.c-uri" negate="no" type="pcre2">(?i)(?:\.exe)$</field>
    </rule>
    <rule id="900026" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.initial_access</id>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1068</id>
            <id>attack.t1190</id>
            <id>attack.t1203</id>
            <id>attack.t1021.006</id>
            <id>attack.t1210</id>
        </mitre>
        <description>OMIGOD HTTP No Authentication RCE</description>
        <options>no_full_log</options>
        <group>zeek,http,</group>
        <field name="data.status_code" negate="no" type="pcre2">(?i)200</field>
        <field name="data.uri" negate="no" type="pcre2">(?i)/wsman</field>
        <field name="data.method" negate="no" type="pcre2">(?i)POST</field>
        <field name="data.client_header_names" negate="yes" type="pcre2">(?i)AUTHORIZATION</field>
        <field name="data.request_body_len" negate="yes" type="pcre2">(?i)0</field>
    </rule>
    <rule id="900027" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>WebDav Put Request</description>
        <options>no_full_log</options>
        <group>zeek,http,</group>
        <field name="full_log" negate="no" type="pcre2">(?i)WebDAV</field>
        <field name="data.method" negate="no" type="pcre2">(?i)PUT</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
    </rule>
    <rule id="900028" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>Publicly Accessible RDP Service</description>
        <options>no_full_log</options>
        <group>zeek,rdp,</group>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)2620:83:8000::/48</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
    </rule>
    <rule id="900029" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.persistence</id>
            <id>car.2013-05-004</id>
            <id>car.2015-04-001</id>
            <id>attack.t1053.002</id>
        </mitre>
        <description>Remote Task Creation via ATSVC Named Pipe - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)atsvc</field>
    </rule>
    <rule id="900030" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Possible Impacket SecretDump Remote Activity - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+</field>
        <field name="data.path" negate="no" type="pcre2">(?i)ADMIN\$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)SYSTEM32\\+</field>
        <field name="data.name" negate="no" type="pcre2">(?i)(?:\.tmp)$</field>
    </rule>
    <rule id="900031" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>First Time Seen Remote Named Pipe - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
    </rule>
    <rule id="900032" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Suspicious PsExec Execution - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+</field>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+IPC\$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)(?:\-stdin|\-stdout|\-stderr)$</field>
        <field name="data.name" negate="yes" type="pcre2">(?i)^(?:PSEXESVC)</field>
    </rule>
    <rule id="900033" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
        </mitre>
        <description>Suspicious Access to Sensitive File Extensions - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.name" negate="no" type="pcre2">(?i)(?:\.pst|\.ost|\.msg|\.nst|\.oab|\.edb|\.nsf|\.bak|\.dmp|\.kirbi|\\+groups\.xml|\.rdp)$</field>
    </rule>
    <rule id="900034" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Transferring Files with Credential Data via Network Shares - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.name" negate="no" type="pcre2">(?i)\\+mimidrv|\\+lsass|\\+windows\\+minidump\\+|\\+hiberfil|\\+sqldmpr|\\+sam|\\+ntds\.dit|\\+security</field>
    </rule>
    <rule id="900035" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Kerberos Network Traffic RC4 Ticket Encryption</description>
        <options>no_full_log</options>
        <group>zeek,kerberos,</group>
        <field name="full_log" negate="no" type="pcre2">(?i)TGS</field>
        <field name="full_log" negate="no" type="pcre2">(?i)rc4\-hmac</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\$)</field>
    </rule>
    <rule id="900036" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.s0002</id>
            <id>attack.lateral_movement</id>
            <id>attack.credential_access</id>
            <id>car.2013-07-001</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Mimikatz Use</description>
        <options>no_full_log</options>
        <group>windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)dpapi::masterkey|eo\.oe\.kiwi|event::clear|event::drop|gentilkiwi\.com|kerberos::golden|kerberos::ptc|kerberos::ptt|kerberos::tgt|Kiwi\ Legit\ Printer|lsadump::|mimidrv\.sys|\\+mimilib\.dll|misc::printnightmare|misc::shadowcopies|misc::skeleton|privilege::backup|privilege::debug|privilege::driver|sekurlsa::</field>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)15</field>
    </rule>
    <rule id="900037" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1211</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Malware Protection Engine Crash</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Application\ Error</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1000</field>
        <field name="full_log" negate="no" type="pcre2">(?i)MsMpEng\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)mpengine\.dll</field>
    </rule>
    <rule id="900038" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via WER - Application</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Application\ Error</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1000</field>
        <field name="full_log" negate="no" type="pcre2">(?i)lsass\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)c0000001</field>
    </rule>
    <rule id="900039" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Ntdsutil Abuse</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)ESENT</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)216|325|326|327</field>
        <field name="full_log" negate="no" type="pcre2">(?i)ntds\.dit</field>
    </rule>
    <rule id="900040" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1211</id>
            <id>attack.credential_access</id>
            <id>attack.t1212</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>attack.impact</id>
            <id>attack.t1499.004</id>
        </mitre>
        <description>Audit CVE Event</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Audit\-CVE|Audit\-CVE</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1</field>
    </rule>
    <rule id="900041" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>Backup Catalog Deleted</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)524</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Backup</field>
    </rule>
    <rule id="900042" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1072</id>
        </mitre>
        <description>Restricted Software Access By SRP</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-SoftwareRestrictionPolicies</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)865|866|867|868|882</field>
    </rule>
    <rule id="900043" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Application Uninstalled</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MsiInstaller</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1034|11724</field>
    </rule>
    <rule id="900044" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>MSI Installation From Suspicious Locations</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MsiInstaller</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1040|1042</field>
        <field name="full_log" negate="no" type="pcre2">(?i):\\+Windows\\+TEMP\\+|\\+|\\+Desktop\\+|\\+PerfLogs\\+|\\+Users\\+Public\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+WinGet\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+TEMP\\+UpdHealthTools\.msi</field>
    </rule>
    <rule id="900045" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>MSI Installation From Web</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MsiInstaller</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1040|1042</field>
        <field name="full_log" negate="no" type="pcre2">(?i)://</field>
    </rule>
    <rule id="900046" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1219</id>
        </mitre>
        <description>Atera Agent Installation</description>
        <options>no_full_log</options>
        <group>application,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1033</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MsiInstaller</field>
        <field name="win.system.message" negate="no" type="pcre2">(?i)AteraAgent</field>
    </rule>
    <rule id="900047" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>MSSQL Add Account To Sysadmin Role</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MSSQLSERVER</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)33205</field>
        <field name="full_log" negate="no" type="pcre2">(?i)object_name:sysadmin</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:statement:alter\ server\ role\ \[sysadmin\]\ add\ member\ )</field>
    </rule>
    <rule id="900048" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>MSSQL Disable Audit Settings</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MSSQLSERVER</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)33205</field>
        <field name="full_log" negate="no" type="pcre2">(?i)statement:ALTER\ SERVER\ AUDIT|statement:DROP\ SERVER\ AUDIT</field>
    </rule>
    <rule id="900049" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
        </mitre>
        <description>MSSQL Server Failed Logon</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MSSQLSERVER</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)18456</field>
    </rule>
    <rule id="900050" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
        </mitre>
        <description>MSSQL Server Failed Logon From External Network</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MSSQLSERVER</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)18456</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 10\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.16\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.17\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.18\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.19\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.20\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.21\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.22\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.23\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.24\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.25\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.26\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.27\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.28\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.29\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.30\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.31\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 192\.168\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 127\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 169\.254\.</field>
    </rule>
    <rule id="900051" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>MSSQL SPProcoption Set</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MSSQLSERVER</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)33205</field>
        <field name="full_log" negate="no" type="pcre2">(?i)object_name:sp_procoption</field>
        <field name="full_log" negate="no" type="pcre2">(?i)statement:EXEC</field>
    </rule>
    <rule id="900052" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>MSSQL XPCmdshell Suspicious Execution</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MSSQLSERVER</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)33205</field>
        <field name="full_log" negate="no" type="pcre2">(?i)object_name:xp_cmdshell</field>
        <field name="full_log" negate="no" type="pcre2">(?i)statement:EXEC</field>
    </rule>
    <rule id="900053" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>MSSQL XPCmdshell Option Change</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)MSSQLSERVER</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)15457</field>
        <field name="full_log" negate="no" type="pcre2">(?i)xp_cmdshell</field>
    </rule>
    <rule id="900054" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588</id>
        </mitre>
        <description>Relevant Anti-Virus Signature Keywords In Application Log</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Adfind|ASP/BackDoor|ATK/|Backdoor\.ASP|Backdoor\.Cobalt|Backdoor\.JSP|Backdoor\.PHP|Blackworm|Brutel|BruteR|Chopper|Cobalt|COBEACON|Cometer|CRYPTES|Cryptor|Destructor|DumpCreds|Exploit\.Script\.CVE|FastReverseProxy|Filecoder|GrandCrab|HackTool|HKTL:|HKTL\.|HKTL/|HTool|IISExchgSpawnCMD|Impacket|JSP/BackDoor|Keylogger|Koadic|Krypt|Lazagne|Metasploit|Meterpreter|MeteTool|Mimikatz|Mpreter|Nighthawk|Packed\.Generic\.347|PentestPowerShell|Phobos|PHP/BackDoor|PowerSploit|PowerSSH|PshlSpy|PSWTool|PWCrack|PWDump|Ransom|Rozena|Ryzerlo|Sbelt|Seatbelt|SecurityTool|SharpDump|Sliver|Splinter|Swrort|Tescrypt|TeslaCrypt|Valyria|Webshell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)Keygen</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)Crack</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)anti_ransomware_service\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)cyber\-protect\-service\.exe</field>
        <field name="win.system.level" negate="yes" type="pcre2">(?i)4</field>
        <field name="win.eventdata.providerName" negate="yes" type="pcre2">(?i)Microsoft\-Windows\-RestartManager</field>
    </rule>
    <rule id="900055" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Command Execution</description>
        <options>no_full_log</options>
        <group>application,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)ScreenConnect</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)200</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Executed\ command\ of\ length</field>
    </rule>
    <rule id="900056" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect File Transfer</description>
        <options>no_full_log</options>
        <group>application,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)ScreenConnect</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)201</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Transferred\ files\ with\ action</field>
    </rule>
    <rule id="900057" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1211</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Malware Protection Engine Crash - WER</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Windows\ Error\ Reporting</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1001</field>
        <field name="full_log" negate="no" type="pcre2">(?i)MsMpEng\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)mpengine\.dll</field>
    </rule>
    <rule id="900058" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
            <id>attack.t1059.001</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.006</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>File Was Not Allowed To Run</description>
        <options>no_full_log</options>
        <group>windows,applocker,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)8004|8007|8022|8025</field>
    </rule>
    <rule id="900059" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Sysinternals Tools AppX Versions Execution</description>
        <options>no_full_log</options>
        <group>windows,appmodel-runtime,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)201</field>
        <field name="full_log" negate="no" type="pcre2">(?i)procdump\.exe|psloglist\.exe|psexec\.exe|livekd\.exe|ADExplorer\.exe</field>
    </rule>
    <rule id="900060" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Deployment AppX Package Was Blocked By AppLocker</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)412</field>
    </rule>
    <rule id="900061" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Malicious AppX Package Installation Attempts</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)400|401</field>
        <field name="full_log" negate="no" type="pcre2">(?i)3669e262\-ec02\-4e9d\-bcb4\-3d008b4afac9</field>
    </rule>
    <rule id="900062" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Deployment Of The AppX Package Was Blocked By The Policy</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)441|442|453|454</field>
    </rule>
    <rule id="900063" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious AppX Package Installation Attempt</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)401</field>
        <field name="full_log" negate="no" type="pcre2">(?i)0x80073cff</field>
    </rule>
    <rule id="900064" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Remote AppX Package Locations</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)854</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\.githubusercontent\.com|anonfiles\.com|cdn\.discordapp\.com|cdn\.discordapp\.com/attachments/|ddns\.net|dl\.dropboxusercontent\.com|ghostbin\.co|glitch\.me|gofile\.io|hastebin\.com|mediafire\.com|mega\.nz|onrender\.com|paste\.ee|pastebin\.com|pastebin\.pl|pastetext\.net|privatlab\.com|privatlab\.net|send\.exploit\.in|sendspace\.com|storage\.googleapis\.com|storjshare\.io|supabase\.co|temp\.sh|transfer\.sh|ufile\.io</field>
    </rule>
    <rule id="900065" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious AppX Package Locations</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)854</field>
        <field name="full_log" negate="no" type="pcre2">(?i)C:\\+Users\\+Public\\+|/users/public/|C:\\+PerfLogs\\+|C:/perflogs/|\\+Desktop\\+|/desktop/|\\+Downloads\\+|/Downloads/|C:\\+Windows\\+Temp\\+|C:/Windows/Temp/|\\+AppdData\\+Local\\+Temp\\+|/AppdData/Local/Temp/</field>
    </rule>
    <rule id="900066" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Uncommon AppX Package Locations</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)854</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SystemApps\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+PrintDialog\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+ImmersiveControlPanel\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)x\-windowsupdate://</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)file:///C:/Program%20Files</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)https://statics\.teams\.cdn\.office\.net/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)microsoft\.com</field>
    </rule>
    <rule id="900067" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Digital Signature Of AppX Package</description>
        <options>no_full_log</options>
        <group>windows,appxpackaging-om,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)157</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CN=Foresee\ Consulting\ Inc\.,\ O=Foresee\ Consulting\ Inc\.,\ L=North\ York,\ S=Ontario,\ C=CA,\ SERIALNUMBER=1004913\-1,\ OID\.1\.3\.6\.1\.4\.1\.311\.60\.2\.1\.3=CA,\ OID\.2\.5\.4\.15=Private\ Organization</field>
    </rule>
    <rule id="900068" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>New BITS Job Created Via Bitsadmin</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3</field>
        <field name="win.eventdata.processPath" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
    </rule>
    <rule id="900069" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>New BITS Job Created Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3</field>
        <field name="win.eventdata.processPath" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
    </rule>
    <rule id="900070" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Downloading File Potential Suspicious Extension</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16403</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.bat|\.dll|\.exe|\.hta|\.ps1|\.psd1|\.sh|\.vbe|\.vbs)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.com</field>
    </rule>
    <rule id="900071" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Download From File Sharing Domains</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16403</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\.githubusercontent\.com|anonfiles\.com|cdn\.discordapp\.com|cdn\.discordapp\.com/attachments/|ddns\.net|dl\.dropboxusercontent\.com|ghostbin\.co|glitch\.me|gofile\.io|hastebin\.com|mediafire\.com|mega\.nz|onrender\.com|paste\.ee|pastebin\.com|pastebin\.pl|pastetext\.net|privatlab\.com|privatlab\.net|send\.exploit\.in|sendspace\.com|storage\.googleapis\.com|storjshare\.io|supabase\.co|temp\.sh|transfer\.sh|ufile\.io</field>
    </rule>
    <rule id="900072" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Download From Direct IP</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16403</field>
        <field name="full_log" negate="no" type="pcre2">(?i)http://1|http://2|http://3|http://4|http://5|http://6|http://7|http://8|http://9|https://1|https://2|https://3|https://4|https://5|https://6|https://7|https://8|https://9</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://10\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://192\.168\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.16\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.17\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.18\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.19\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.20\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.21\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.22\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.23\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.24\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.25\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.26\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.27\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.28\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.29\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.30\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.31\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://127\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://169\.254\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)https://7\-</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)http://7\-</field>
    </rule>
    <rule id="900073" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job With Uncommon Or Suspicious Remote TLD</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16403</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.azureedge\.net/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.com/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.sfx\.ms/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)download\.mozilla\.org/</field>
    </rule>
    <rule id="900074" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Download To Potential Suspicious Folder</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16403</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Desktop\\+|C:\\+Users\\+Public\\+|C:\\+PerfLogs\\+</field>
    </rule>
    <rule id="900075" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>Certificate Private Key Acquired</description>
        <options>no_full_log</options>
        <group>windows,capi2,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)70</field>
    </rule>
    <rule id="900076" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>Certificate Exported From Local Certificate Store</description>
        <options>no_full_log</options>
        <group>windows,certificateservicesclient-lifecycle-system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1007</field>
    </rule>
    <rule id="900077" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>CodeIntegrity - Unmet Signing Level Requirements By File Under Validation</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3033|3034</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Windows\\+assembly\\+GAC\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+mscorsvw\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Windows\\+Microsoft\.NET\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
    </rule>
    <rule id="900078" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>CodeIntegrity - Unmet Signing Level Requirements By File Under Validation</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3033|3034</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+DTrace\\+dtrace\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+svchost\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Windows\\+System32\\+DriverStore\\+FileRepository\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+igd10iumd64\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+nvspcap64\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Keybase\\+Gui\\+Keybase\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+stage\\+Teams\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Bonjour\\+mdnsNSP\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+svchost\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+SIHClient\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Microsoft\ Office\\+root\\+vfs\\+ProgramFilesCommonX64\\+Microsoft\ Shared\\+OFFICE</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+MSOXMLMF\.DLL)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+nvspcap64\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+slack\\+app\-</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+slack\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Mozilla\ Firefox\\+mozavcodec\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Mozilla\ Firefox\\+mozavutil\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Mozilla\ Firefox\\+firefox\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Avast\ Software\\+Avast\\+aswAMSI\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Avast\ Software\\+Avast\\+aswAMSI\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+crashpad_handler\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Trend\ Micro\\+Client\ Server\ Security\ Agent\\+perficrcperfmonmgr\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+National\ Instruments\\+Shared\\+mDNS\ Responder\\+nimdnsNSP\.dll\ )</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+McAfee\\+Endpoint\ Security\\+Threat\ Prevention\\+MfeAmsiProvider\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+McAfee\\+MfeAV\\+AMSIExt\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+ESET\\+ESET\ Security\\+eamsi\.dll)</field>
    </rule>
    <rule id="900079" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3104</field>
    </rule>
    <rule id="900080" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>CodeIntegrity - Blocked Image/Driver Load For Policy Violation</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3077</field>
    </rule>
    <rule id="900081" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>CodeIntegrity - Blocked Driver Load With Revoked Certificate</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3023</field>
    </rule>
    <rule id="900082" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Revoked Kernel Driver Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3021|3022</field>
    </rule>
    <rule id="900083" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Blocked Image Load With Revoked Certificate</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3036</field>
    </rule>
    <rule id="900084" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Revoked Image Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3032|3035</field>
    </rule>
    <rule id="900085" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Unsigned Kernel Module Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3001</field>
    </rule>
    <rule id="900086" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Unsigned Image Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3037</field>
    </rule>
    <rule id="900087" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3082|3083</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)system32\\+drivers\\+vsock\.sys</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)System32\\+drivers\\+vmci\.sys</field>
    </rule>
    <rule id="900088" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Loading Diagcab Package From Remote Path</description>
        <options>no_full_log</options>
        <group>windows,diagnosis-scripted,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)101</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+</field>
    </rule>
    <rule id="900089" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query for Anonfiles.com Domain - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3008</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.anonfiles\.com</field>
    </rule>
    <rule id="900090" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To MEGA Hosting Website - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3008</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)userstorage\.mega\.co\.nz</field>
    </rule>
    <rule id="900091" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.003</id>
        </mitre>
        <description>Query Tor Onion Address - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3008</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.onion</field>
    </rule>
    <rule id="900092" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To Ufile.io - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3008</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)ufile\.io</field>
    </rule>
    <rule id="900093" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3008</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:aaa\.stage\.|post\.1)</field>
    </rule>
    <rule id="900094" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3008</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.stage\.123456\.</field>
    </rule>
    <rule id="900095" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1590.002</id>
        </mitre>
        <description>Failed DNS Zone Transfer</description>
        <options>no_full_log</options>
        <group>windows,dns-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)6004</field>
    </rule>
    <rule id="900096" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DNS Server Error Failed Loading the ServerLevelPluginDLL</description>
        <options>no_full_log</options>
        <group>windows,dns-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)150|770|771</field>
    </rule>
    <rule id="900097" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1200</id>
        </mitre>
        <description>USB Device Plugged</description>
        <options>no_full_log</options>
        <group>windows,driver-framework,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2003|2100|2102</field>
    </rule>
    <rule id="900098" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Uncommon New Firewall Rule Added In Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2004|2071</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)2</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+PerfLogs\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Temp\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Users\\+Public\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+Tasks\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
    </rule>
    <rule id="900099" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Uncommon New Firewall Rule Added In Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2004|2071</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+MsMpEng\.exe</field>
    </rule>
    <rule id="900100" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2004|2071</field>
        <field name="full_log" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)2</field>
    </rule>
    <rule id="900101" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>All Rules Have Been Deleted From The Windows Firewall Configuration</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2033|2059</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+svchost\.exe)</field>
    </rule>
    <rule id="900102" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>All Rules Have Been Deleted From The Windows Firewall Configuration</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2033|2059</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+MsMpEng\.exe</field>
    </rule>
    <rule id="900103" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>A Rule Has Been Deleted From The Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2006|2052</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)None</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="900104" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>A Rule Has Been Deleted From The Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2006|2052</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)</field>
    </rule>
    <rule id="900105" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>The Windows Defender Firewall Service Failed To Load Group Policy</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2009</field>
    </rule>
    <rule id="900106" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Windows Defender Firewall Has Been Reset To Its Default Configuration</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2032|2060</field>
    </rule>
    <rule id="900107" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Windows Firewall Settings Have Been Changed</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)2002|2083|2003|2082|2008</field>
    </rule>
    <rule id="900108" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.002</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
        </mitre>
        <description>Potential Active Directory Reconnaissance/Enumeration Via LDAP</description>
        <options>no_full_log</options>
        <group>windows,ldap,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)30</field>
        <field name="full_log" negate="no" type="pcre2">(?i)$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483648$|$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483656$|$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483652$|$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483650$|$sAMAccountType=805306369$|$sAMAccountType=805306368$|$sAMAccountType=536870913$|$sAMAccountType=536870912$|$sAMAccountType=268435457$|$sAMAccountType=268435456$|$objectCategory=groupPolicyContainer$|$objectCategory=organizationalUnit$|$objectCategory=Computer$|$objectCategory=nTDSDSA$|$objectCategory=server$|$objectCategory=domain$|$objectCategory=person$|$objectCategory=group$|$objectCategory=user$|$objectClass=trustedDomain$|$objectClass=computer$|$objectClass=server$|$objectClass=group$|$objectClass=user$|$primaryGroupID=521$|$primaryGroupID=516$|$primaryGroupID=515$|$primaryGroupID=512$|Domain\ Admins|objectGUID=\\+|$schemaIDGUID=\\+.+$</field>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)30</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)$domainSid=.+$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)$objectSid=.+$</field>
    </rule>
    <rule id="900109" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.002</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
        </mitre>
        <description>Potential Active Directory Reconnaissance/Enumeration Via LDAP</description>
        <options>no_full_log</options>
        <group>windows,ldap,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)30</field>
        <field name="full_log" negate="no" type="pcre2">(?i)$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=4194304$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=2097152$|!$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=1048574$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=524288$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=65536$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=8192$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=544$|!$UserAccountControl:1\.2\.840\.113556\.1\.4\.803:=2$|msDS\-AllowedToActOnBehalfOfOtherIdentity|msDS\-AllowedToDelegateTo|msDS\-GroupManagedServiceAccount|$accountExpires=9223372036854775807$|$accountExpires=0$|$adminCount=1$|ms\-MCS\-AdmPwd</field>
    </rule>
    <rule id="900110" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Standard User In High Privileged Group</description>
        <options>no_full_log</options>
        <group>windows,lsa-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)300</field>
        <field name="win.eventdata.targetUserSid" negate="no" type="pcre2">(?i)^(?:S\-1\-5\-21\-)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)S\-1\-5\-32\-544|\-500\}|\-518\}|\-519\}</field>
        <field name="win.eventdata.targetUserSid" negate="yes" type="pcre2">(?i)(?:\-500)$</field>
        <field name="win.eventdata.targetUserSid" negate="yes" type="pcre2">(?i)(?:\-518)$</field>
        <field name="win.eventdata.targetUserSid" negate="yes" type="pcre2">(?i)(?:\-519)$</field>
    </rule>
    <rule id="900111" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1587.001</id>
            <id>attack.resource_development</id>
        </mitre>
        <description>ProxyLogon MSExchange OabVirtualDirectory</description>
        <options>no_full_log</options>
        <group>windows,msexchange-management,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:OabVirtualDirectory|\ \-ExternalUrl\ )</field>
        <field name="full_log" negate="no" type="pcre2">(?i)eval$request|http://f/&lt;script|"unsafe"\};|function\ Page_Load\($</field>
    </rule>
    <rule id="900112" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Certificate Request Export to Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)New\-ExchangeCertificate|\ \-GenerateRequest|\ \-BinaryEncoded|\ \-RequestFile</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+localhost\\+C\$|\\+127\.0\.0\.1\\+C\$|C:\\+inetpub|\.aspx</field>
    </rule>
    <rule id="900113" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Mailbox Export to Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:New\-MailboxExportRequest|\ \-Mailbox\ )</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-FilePath\ "\\+|\.aspx</field>
    </rule>
    <rule id="900114" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Mailbox Export to Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:New\-ManagementRoleAssignment|\ \-Role\ "Mailbox\ Import\ Export"|\ \-User\ )</field>
    </rule>
    <rule id="900115" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>Remove Exported Mailbox from Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Remove\-MailboxExportRequest|\ \-Identity\ |\ \-Confirm\ "False"</field>
    </rule>
    <rule id="900116" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Exchange Set OabVirtualDirectory ExternalUrl Property</description>
        <options>no_full_log</options>
        <group>windows,msexchange-management,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Set\-OabVirtualDirectory|ExternalUrl|Page_Load|script</field>
    </rule>
    <rule id="900117" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.002</id>
        </mitre>
        <description>MSExchange Transport Agent Installation - Builtin</description>
        <options>no_full_log</options>
        <group>windows,msexchange-management,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Install\-TransportAgent</field>
    </rule>
    <rule id="900118" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.002</id>
        </mitre>
        <description>Failed MSExchange Transport Agent Installation</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)6</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Install\-TransportAgent</field>
    </rule>
    <rule id="900119" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>NTLM Logon</description>
        <options>no_full_log</options>
        <group>windows,ntlm,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)8002</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i).+</field>
    </rule>
    <rule id="900120" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
        </mitre>
        <description>NTLM Brute Force</description>
        <options>no_full_log</options>
        <group>windows,ntlm,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)8004</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)Rdesktop|Remmina|Freerdp|Windows7|Windows8|Windows2012|Windows2016|Windows2019</field>
    </rule>
    <rule id="900121" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Potential Remote Desktop Connection to Non-Domain Host</description>
        <options>no_full_log</options>
        <group>windows,ntlm,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)8001</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)^(?:TERMSRV)</field>
    </rule>
    <rule id="900122" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.004</id>
        </mitre>
        <description>OpenSSH Server Listening On Socket</description>
        <options>no_full_log</options>
        <group>windows,openssh,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4</field>
        <field name="full_log" negate="no" type="pcre2">(?i)sshd</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)^(?:Server\ listening\ on\ )</field>
    </rule>
    <rule id="900123" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
        </mitre>
        <description>Azure AD Health Monitoring Agent Registry Keys Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656|4663</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)Key</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+REGISTRY\\+MACHINE\\+SOFTWARE\\+Microsoft\\+Microsoft\ Online\\+Reporting\\+MonitoringAgent</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.DiagnosticsAgent\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.InsightsService\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.MonitoringAgent\.Startup\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.PshSurrogate\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Common\.Clients\.ResourceMonitor\.exe</field>
    </rule>
    <rule id="900124" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
        </mitre>
        <description>Azure AD Health Service Agents Registry Keys Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656|4663</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)Key</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+REGISTRY\\+MACHINE\\+SOFTWARE\\+Microsoft\\+ADHealthAgent</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.DiagnosticsAgent\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.InsightsService\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.MonitoringAgent\.Startup\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.PshSurrogate\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Common\.Clients\.ResourceMonitor\.exe</field>
    </rule>
    <rule id="900125" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>Powerview Add-DomainObjectAcl DCSync AD Extend Right</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5136</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)ntSecurityDescriptor</field>
        <field name="win.eventdata.attributeValue" negate="no" type="pcre2">(?i)1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2|1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2|89e95b76\-444d\-4c62\-991a\-0facbeda640c</field>
        <field name="win.eventdata.objectClass" negate="yes" type="pcre2">(?i)dnsNode</field>
        <field name="win.eventdata.objectClass" negate="yes" type="pcre2">(?i)dnsZoneScope</field>
        <field name="win.eventdata.objectClass" negate="yes" type="pcre2">(?i)dnsZone</field>
    </rule>
    <rule id="900126" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>AD Privileged Users or Groups Reconnaissance</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4661</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)SAM_USER|SAM_GROUP</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\-512|\-502|\-500|\-505|\-519|\-520|\-544|\-551|\-555)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)admin</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900127" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4898</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900128" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4899</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900129" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability with Risky EKU</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4898</field>
        <field name="full_log" negate="no" type="pcre2">(?i)1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900130" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability with Risky EKU</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4898</field>
        <field name="full_log" negate="no" type="pcre2">(?i)1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4899</field>
        <field name="full_log" negate="no" type="pcre2">(?i)1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900131" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1207</id>
        </mitre>
        <description>Add or Remove Computer from DC</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4741|4743</field>
    </rule>
    <rule id="900132" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Access To ADMIN$ Network Share</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5140</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)Admin\$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900133" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1222.001</id>
        </mitre>
        <description>AD Object WriteDAC Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4662</field>
        <field name="win.eventdata.objectServer" negate="no" type="pcre2">(?i)DS</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x40000</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)19195a5b\-6da0\-11d0\-afd3\-00c04fd930c9|domainDNS</field>
    </rule>
    <rule id="900134" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Active Directory Replication from Non Machine Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4662</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x100</field>
        <field name="win.eventdata.properties" negate="no" type="pcre2">(?i)1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2|1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2|89e95b76\-444d\-4c62\-991a\-0facbeda640c</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:MSOL_)</field>
    </rule>
    <rule id="900135" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>Potential AD User Enumeration From Non-Machine Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4662</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)bf967aba\-0de6\-11d0\-a285\-00aa003049e2</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)(?:1.|3.|4.|7.|9.|B.|D.|F.)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:MSOL_)</field>
    </rule>
    <rule id="900136" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4738</field>
        <field name="win.eventdata.allowedToDelegateTo" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.allowedToDelegateTo" negate="yes" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.allowedToDelegateTo" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900137" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4738</field>
    </rule>
    <rule id="900138" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5136</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)msDS\-AllowedToDelegateTo</field>
    </rule>
    <rule id="900139" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5136</field>
        <field name="win.eventdata.objectClass" negate="no" type="pcre2">(?i)user</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)servicePrincipalName</field>
    </rule>
    <rule id="900140" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5136</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)msDS\-AllowedToActOnBehalfOfOtherIdentity</field>
    </rule>
    <rule id="900141" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Weak Encryption Enabled and Kerberoast</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4738</field>
        <field name="win.eventdata.newUacValue" negate="no" type="pcre2">(?i)(?:8...|9...|A...|B...|C...|D...|E...|F...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:8...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:9...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:A...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:B...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:C...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:D...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:E...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:F...)$</field>
    </rule>
    <rule id="900142" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Weak Encryption Enabled and Kerberoast</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4738</field>
        <field name="win.eventdata.newUacValue" negate="no" type="pcre2">(?i)(?:8...|9...|A...|B...|C...|D...|E...|F...)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:1....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:3....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:5....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:7....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:9....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:B....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:D....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:F....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:1....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:3....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:5....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:7....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:9....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:B....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:D....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:F....)$</field>
    </rule>
    <rule id="900143" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Weak Encryption Enabled and Kerberoast</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4738</field>
        <field name="win.eventdata.newUacValue" negate="no" type="pcre2">(?i)(?:8...|9...|A...|B...|C...|D...|E...|F...)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:1....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:3....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:5....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:7....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:9....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:B....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:D....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:F....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:8..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:9..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:A..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:B..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:C..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:D..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:E..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:F..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:8..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:9..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:A..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:B..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:C..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:D..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:E..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:F..)$</field>
    </rule>
    <rule id="900144" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1087</id>
            <id>attack.t1114</id>
            <id>attack.t1059</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Hacktool Ruler</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4776</field>
        <field name="full_log" negate="no" type="pcre2">(?i)RULER</field>
    </rule>
    <rule id="900145" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1087</id>
            <id>attack.t1114</id>
            <id>attack.t1059</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Hacktool Ruler</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624|4625</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)RULER</field>
    </rule>
    <rule id="900146" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.persistence</id>
            <id>car.2013-05-004</id>
            <id>car.2015-04-001</id>
            <id>attack.t1053.002</id>
        </mitre>
        <description>Remote Task Creation via ATSVC Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)atsvc</field>
        <field name="win.eventdata.accesses" negate="no" type="pcre2">(?i)WriteData</field>
    </rule>
    <rule id="900147" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Security Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)517</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Security</field>
    </rule>
    <rule id="900148" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Security Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1102</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Eventlog</field>
    </rule>
    <rule id="900149" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1123</id>
        </mitre>
        <description>Processes Accessing the Microphone and Webcam</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4657|4656|4663</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+CapabilityAccessManager\\+ConsentStore\\+microphone\\+NonPackaged|\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+CapabilityAccessManager\\+ConsentStore\\+webcam\\+NonPackaged</field>
    </rule>
    <rule id="900150" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)ADMIN\$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\.exe</field>
    </rule>
    <rule id="900151" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)%COMSPEC%</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900152" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell\ \-nop\ \-w\ hidden\ \-encodedcommand</field>
    </rule>
    <rule id="900153" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">IEX\ $New\-Object\ Net\.Webclient$\.DownloadString\('http://127\.0\.0\.1:</field>
    </rule>
    <rule id="900154" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.001</id>
        </mitre>
        <description>Failed Code Integrity Checks</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5038|6281</field>
    </rule>
    <rule id="900155" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>DCERPC SMB Spoolss Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)spoolss</field>
    </rule>
    <rule id="900156" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>DCOM InternetExplorer.Application Iertutil DLL Hijack - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iertutil\.dll)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900157" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.s0002</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Mimikatz DC Sync</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4662</field>
        <field name="win.eventdata.properties" negate="no" type="pcre2">(?i)Replicating\ Directory\ Changes\ All|1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2|1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2|9923a32a\-3607\-11d2\-b9be\-0000f87a36b2|89e95b76\-444d\-4c62\-991a\-0facbeda640c</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x100</field>
        <field name="win.eventdata.subjectDomainName" negate="yes" type="pcre2">(?i)Window\ Manager</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:NT\ AUT)</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:MSOL_)</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900158" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1200</id>
        </mitre>
        <description>Device Installation Blocked</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)6423</field>
    </rule>
    <rule id="900159" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Windows Event Auditing Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4719</field>
        <field name="full_log" negate="no" type="pcre2">(?i)%%8448|%%8450</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9210\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9211\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9212\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9215\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9217\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE921B\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE922B\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE922F\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9230\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9235\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9236\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9237\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE923F\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9240\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\{0CCE9242\-69AE\-11D9\-BED3\-505054503030\}</field>
    </rule>
    <rule id="900160" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Important Windows Event Auditing Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4719</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\{0CCE9210\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9211\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9212\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9215\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE921B\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE922B\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE922F\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9230\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9235\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9236\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9237\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE923F\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9240\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9242\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="no" type="pcre2">(?i)%%8448|%%8450</field>
    </rule>
    <rule id="900161" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Important Windows Event Auditing Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4719</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\{0CCE9217\-69AE\-11D9\-BED3\-505054503030\}</field>
        <field name="full_log" negate="no" type="pcre2">(?i)%%8448</field>
    </rule>
    <rule id="900162" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Registry</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4657</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+\.NETFramework)$</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)ETWEnabled</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)0</field>
    </rule>
    <rule id="900163" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Registry</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4657</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Environment</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)COMPlus_ETWEnabled|COMPlus_ETWFlags</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)0</field>
    </rule>
    <rule id="900164" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.004</id>
        </mitre>
        <description>DPAPI Domain Backup Key Extraction</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4662</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)SecretObject</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x2</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)BCKUPKEY</field>
    </rule>
    <rule id="900165" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.004</id>
        </mitre>
        <description>DPAPI Domain Master Key Backup Attempt</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4692</field>
    </rule>
    <rule id="900166" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Persistence and Execution at Scale via GPO Scheduled Task</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+SYSVOL</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:ScheduledTasks\.xml)$</field>
        <field name="win.eventdata.accesses" negate="no" type="pcre2">(?i)WriteData|%%4417</field>
    </rule>
    <rule id="900167" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>Hidden Local User Creation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4720</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)HomeGroupUser\$</field>
    </rule>
    <rule id="900168" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>HackTool - EDRSilencer Execution - Filter Added</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5441|5447</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Custom\ Outbound\ Filter</field>
    </rule>
    <rule id="900169" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134</id>
            <id>attack.t1134.001</id>
        </mitre>
        <description>HackTool - NoFilter Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5447</field>
        <field name="full_log" negate="no" type="pcre2">(?i)RonPolicy</field>
    </rule>
    <rule id="900170" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134</id>
            <id>attack.t1134.001</id>
        </mitre>
        <description>HackTool - NoFilter Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5449</field>
        <field name="full_log" negate="no" type="pcre2">(?i)RonPolicy</field>
    </rule>
    <rule id="900171" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1554</id>
        </mitre>
        <description>HybridConnectionManager Service Installation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)HybridConnectionManager</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)HybridConnectionManager</field>
    </rule>
    <rule id="900172" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Impacket PsExec Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)RemCom_stdin|RemCom_stdout|RemCom_stderr</field>
    </rule>
    <rule id="900173" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Possible Impacket SecretDump Remote Activity</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+ADMIN\$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)SYSTEM32\\+</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)\.tmp</field>
    </rule>
    <rule id="900174" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)clipboard\]::</field>
    </rule>
    <rule id="900175" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)"set</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="900176" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)readtoend</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
    </rule>
    <rule id="900177" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900178" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)environment|invoke|\$\{input\)</field>
    </rule>
    <rule id="900179" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\(Clipboard\|i</field>
    </rule>
    <rule id="900180" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)window\.close</field>
    </rule>
    <rule id="900181" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900182" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;set</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\{0\}|\{1\}|\{2\}|\{3\}|\{4\}|\{5\}</field>
    </rule>
    <rule id="900183" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO Image Mounted</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4663</field>
        <field name="win.eventdata.objectServer" negate="no" type="pcre2">(?i)Security</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)File</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:\\+Device\\+CdRom)</field>
        <field name="win.eventdata.objectName" negate="yes" type="pcre2">(?i)\\+Device\\+CdRom0\\+autorun\.ico</field>
        <field name="win.eventdata.objectName" negate="yes" type="pcre2">(?i)\\+Device\\+CdRom0\\+setup\.exe</field>
        <field name="win.eventdata.objectName" negate="yes" type="pcre2">(?i)\\+Device\\+CdRom0\\+setup64\.exe</field>
    </rule>
    <rule id="900184" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>First Time Seen Remote Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)atsvc</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)samr</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)lsass</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)browser</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)sql\\+query</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)eventlog</field>
    </rule>
    <rule id="900185" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Access From Non System Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4663|4656</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x100000|0x1010|0x1400|0x1410|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40|143a|1f0fff|1f1fff|1f2fff|1f3fff</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)Process</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe</field>
        <field name="win.eventdata.accessMask" negate="yes" type="pcre2">(?i)0x1410</field>
    </rule>
    <rule id="900186" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Access From Non System Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4663|4656</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x100000|0x1010|0x1400|0x1410|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40|143a|1f0fff|1f1fff|1f2fff|1f3fff</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)Process</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)\\+SteamLibrary\\+steamapps\\+</field>
    </rule>
    <rule id="900187" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
            <id>attack.t1569.002</id>
            <id>attack.s0005</id>
        </mitre>
        <description>Credential Dumping Tools Service Execution - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cachedump|dumpsvc|fgexec|gsecdump|mimidrv|pwdump|servpw</field>
    </rule>
    <rule id="900188" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1003</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Malicious Service Installations</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)javamtsup</field>
    </rule>
    <rule id="900189" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.s0005</id>
        </mitre>
        <description>WCE wceaux.dll Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656|4658|4660|4663</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+wceaux\.dll)$</field>
    </rule>
    <rule id="900190" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Metasploit SMB Authentication</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4625|4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)3</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)NTLM</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)^[A-Za-z0-9]{16}$</field>
    </rule>
    <rule id="900191" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Metasploit SMB Authentication</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4776</field>
        <field name="full_log" negate="no" type="pcre2">(?i)[A-Za-z0-9]{16}</field>
    </rule>
    <rule id="900192" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1570</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Metasploit Or Impacket Service Installation Via SMB PsExec</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)^%systemroot%\\+[a-zA-Z]{8}\.exe$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)3</field>
        <field name="full_log" negate="no" type="pcre2">(?i)0x10</field>
        <field name="win.eventdata.serviceName" negate="yes" type="pcre2">(?i)PSEXESVC</field>
    </rule>
    <rule id="900193" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\\+pipe\\+</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd|%COMSPEC%</field>
    </rule>
    <rule id="900194" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\.dll,a</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/p:</field>
    </rule>
    <rule id="900195" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)^(?:\\+127\.0\.0\.1\\+ADMIN\$\\+)</field>
    </rule>
    <rule id="900196" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>NetNTLM Downgrade Attack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4657</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+REGISTRY\\+MACHINE\\+SYSTEM</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Control\\+Lsa</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)LmCompatibilityLevel|NtlmMinClientSec|RestrictSendingNTLMTraffic</field>
    </rule>
    <rule id="900197" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>Windows Network Access Suspicious desktop.ini Action</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)File</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\\+desktop\.ini)$</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)WriteData|DELETE|WriteDAC|AppendData|AddSubdirectory</field>
    </rule>
    <rule id="900198" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New or Renamed User Account with '$' Character</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4720</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)\$</field>
    </rule>
    <rule id="900199" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New or Renamed User Account with '$' Character</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4781</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\$</field>
    </rule>
    <rule id="900200" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New or Renamed User Account with '$' Character</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)4720</field>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)HomeGroupUser\$</field>
    </rule>
    <rule id="900201" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>Denied Access To Remote Desktop</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4825</field>
    </rule>
    <rule id="900202" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1201</id>
        </mitre>
        <description>Password Policy Enumerated</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4661</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)%%5392</field>
        <field name="win.eventdata.objectServer" negate="no" type="pcre2">(?i)Security\ Account\ Manager</field>
    </rule>
    <rule id="900203" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pcap_drivers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.t1040</id>
        </mitre>
        <description>Windows Pcap Drivers</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)pcap|npcap|npf|nm3|ndiscap|nmnt|windivert|USBPcap|pktmon</field>
    </rule>
    <rule id="900204" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1187</id>
        </mitre>
        <description>Possible PetitPotam Coerce Authentication Attempt</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+)</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)(?:\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)lsarpc</field>
        <field name="win.eventdata.subjectUserName" negate="no" type="pcre2">(?i)ANONYMOUS\ LOGON</field>
    </rule>
    <rule id="900205" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1187</id>
        </mitre>
        <description>PetitPotam Suspicious Kerberos TGT Request</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4768</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)(?:\$)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i).+</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)::1</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="900206" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1207</id>
        </mitre>
        <description>Possible DC Shadow Attack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4742</field>
        <field name="full_log" negate="no" type="pcre2">(?i)GC/</field>
    </rule>
    <rule id="900207" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1207</id>
        </mitre>
        <description>Possible DC Shadow Attack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5136</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)servicePrincipalName</field>
        <field name="win.eventdata.attributeValue" negate="no" type="pcre2">(?i)^(?:GC/)</field>
    </rule>
    <rule id="900208" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PowerShell Scripts Installed as Services - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell|pwsh</field>
    </rule>
    <rule id="900209" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Protected Storage Service Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)IPC</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)protected_storage</field>
    </rule>
    <rule id="900210" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1090.001</id>
            <id>attack.t1090.002</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>RDP over Reverse SSH Tunnel WFP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5156</field>
        <field name="win.eventdata.sourcePort" negate="no" type="pcre2">(?i)3389</field>
        <field name="full_log" negate="no" type="pcre2">(?i)127\.|::1</field>
    </rule>
    <rule id="900211" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1090.001</id>
            <id>attack.t1090.002</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>RDP over Reverse SSH Tunnel WFP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5156</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)3389</field>
        <field name="full_log" negate="no" type="pcre2">(?i)127\.|::1</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)AppContainer\ Loopback</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
    </rule>
    <rule id="900212" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Register new Logon Process by Rubeus</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4611</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)User32LogonProcesss</field>
    </rule>
    <rule id="900213" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Service Registry Key Read Access Request</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4663</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+SYSTEM\\+</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)ControlSet\\+Services\\+</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)%%1538</field>
    </rule>
    <rule id="900214" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Remote PowerShell Sessions Network Connections (WinRM)</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5156</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)5985|5986</field>
        <field name="full_log" negate="no" type="pcre2">(?i)44</field>
    </rule>
    <rule id="900215" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
        </mitre>
        <description>Replay Attack Detected</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4649</field>
    </rule>
    <rule id="900216" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
            <id>attack.credential_access</id>
            <id>attack.t1552.002</id>
        </mitre>
        <description>SAM Registry Hive Handle Request</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)Key</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+SAM)$</field>
    </rule>
    <rule id="900217" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1010</id>
        </mitre>
        <description>SCM Database Handle Failure</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)SC_MANAGER\ OBJECT</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)ServicesActive</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0xf003f</field>
        <field name="win.eventdata.subjectLogonId" negate="yes" type="pcre2">(?i)0x3e4</field>
    </rule>
    <rule id="900218" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>SCM Database Privileged Operation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4674</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)SC_MANAGER\ OBJECT</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)servicesactive</field>
        <field name="win.eventdata.privilegeList" negate="no" type="pcre2">(?i)SeTakeOwnershipPrivilege</field>
        <field name="win.eventdata.subjectLogonId" negate="yes" type="pcre2">(?i)0x3e4</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+services\.exe)$</field>
    </rule>
    <rule id="900219" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Remote Access Tool Services Have Been Installed - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)AmmyyAdmin|Atera|BASupportExpressSrvcUpdater|BASupportExpressStandaloneService|chromoting|GoToAssist|GoToMyPC|jumpcloud|LMIGuardianSvc|LogMeIn|monblanking|Parsec|RManService|RPCPerformanceService|RPCService|SplashtopRemoteService|SSUService|TeamViewer|TightVNC|vncserver|Zoho</field>
    </rule>
    <rule id="900220" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>SMB Create Remote File Admin Share</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)(?:C\$)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x2</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900221" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A New Trust Was Created To A Domain</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4706</field>
    </rule>
    <rule id="900222" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.005</id>
        </mitre>
        <description>Addition of SID History to Active Directory Object</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4765|4766</field>
    </rule>
    <rule id="900223" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.005</id>
        </mitre>
        <description>Addition of SID History to Active Directory Object</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4738</field>
        <field name="win.eventdata.sidHistory" negate="yes" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.sidHistory" negate="yes" type="pcre2">(?i)%%1793</field>
        <field name="win.eventdata.sidHistory" negate="no" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900224" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2021.42278</id>
            <id>cve.2021.42287</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Win Susp Computer Name Containing Samtheadmin</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)^(?:SAMTHEADMIN\-)</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900225" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2021.42278</id>
            <id>cve.2021.42287</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Win Susp Computer Name Containing Samtheadmin</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:SAMTHEADMIN\-)</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900226" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>Password Change on Directory Service Restore Mode (DSRM) Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4794</field>
    </rule>
    <rule id="900227" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.initial_access</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Account Tampering - Suspicious Failed Logon Reasons</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4625|4776</field>
        <field name="win.eventdata.status" negate="no" type="pcre2">(?i)0xC0000072|0xC000006F|0xC0000070|0xC0000413|0xC000018C|0xC000015B</field>
        <field name="win.eventdata.subjectUserSid" negate="yes" type="pcre2">(?i)S\-1\-0\-0</field>
    </rule>
    <rule id="900228" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1212</id>
        </mitre>
        <description>Kerberos Manipulation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)675|4768|4769|4771</field>
        <field name="win.eventdata.status" negate="no" type="pcre2">(?i)0x9|0xA|0xB|0xF|0x10|0x11|0x13|0x14|0x1A|0x1F|0x21|0x22|0x23|0x24|0x26|0x27|0x28|0x29|0x2C|0x2D|0x2E|0x2F|0x31|0x32|0x3E|0x3F|0x40|0x41|0x43|0x44</field>
    </rule>
    <rule id="900229" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1001.003</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Suspicious LDAP-Attributes Used</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5136</field>
        <field name="win.eventdata.attributeValue" negate="no" type="pcre2">(?i).+</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)primaryInternationalISDNNumber|otherFacsimileTelephoneNumber|primaryTelexNumber</field>
    </rule>
    <rule id="900230" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
            <id>attack.t1136.002</id>
        </mitre>
        <description>Suspicious Windows ANONYMOUS LOGON Local Account Created</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4720</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)ANONYMOUS</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)LOGON</field>
    </rule>
    <rule id="900231" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1078</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>Suspicious Remote Logon with Explicit Credentials</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4648</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+winrs\.exe|\\+wmic\.exe|\\+net\.exe|\\+net1\.exe|\\+reg\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)localhost</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900232" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Password Dumper Activity on LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x705</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)SAM_DOMAIN</field>
    </rule>
    <rule id="900233" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x40|0x1400|0x100000|0x1410|0x1010|0x1438|0x143a|0x1418|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff</field>
    </rule>
    <rule id="900234" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4663</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)4484|4416</field>
    </rule>
    <rule id="900235" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+csrss\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+GamingServices\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+lsm\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+MicrosoftEdgeUpdate\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+minionhost\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+MRT\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+perfmon\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+taskmgr\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+VsTskMgr\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+wininit\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+wmiprvse\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:RtkAudUService64)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+SysNative\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWow64\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+taskhostw\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+CCM\\+CcmExec\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Sysmon64\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\-sc\\+aurora\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\-64\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+x64\\+SCENARIOENGINE\.EXE)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+is\-</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+avira_system_speedup\.tmp)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+avira_speedup_setup_update\.tmp)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+snmp\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+SystemTemp\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+GoogleUpdate\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
    </rule>
    <rule id="900236" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
    </rule>
    <rule id="900237" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.002</id>
            <id>attack.s0039</id>
        </mitre>
        <description>Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4661</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x2d</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)SAM_USER|SAM_GROUP</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:S\-1\-5\-21\-)</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\-500|\-512)$</field>
    </rule>
    <rule id="900238" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Password Protected ZIP File Opened</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5379</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename</field>
        <field name="win.eventdata.targetName" negate="yes" type="pcre2">(?i)\\+Temporary\ Internet\ Files\\+Content\.Outlook</field>
    </rule>
    <rule id="900239" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.t1105</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Password Protected ZIP File Opened (Suspicious Filenames)</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5379</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)invoice|new\ order|rechnung|factura|delivery|purchase|order|payment</field>
    </rule>
    <rule id="900240" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.initial_access</id>
            <id>attack.t1027</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Password Protected ZIP File Opened (Email Attachment)</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5379</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)\\+Temporary\ Internet\ Files\\+Content\.Outlook</field>
    </rule>
    <rule id="900241" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5156</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)88</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:\\+device\\+harddiskvolume)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:C:)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+lsass\.exe)$</field>
    </rule>
    <rule id="900242" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5156</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)88</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:\\+device\\+harddiskvolume)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:C:)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:\\+device\\+harddiskvolume)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:C:)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+tomcat\\+bin\\+tomcat8\.exe)$</field>
    </rule>
    <rule id="900243" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1556</id>
        </mitre>
        <description>Possible Shadow Credentials Added</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5136</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)msDS\-KeyCredentialLink</field>
    </rule>
    <rule id="900244" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Suspicious PsExec Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\-stdin|\-stdout|\-stderr)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:PSEXESVC)</field>
    </rule>
    <rule id="900245" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1039</id>
        </mitre>
        <description>Suspicious Access to Sensitive File Extensions</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\.bak|\.dmp|\.edb|\.kirbi|\.msg|\.nsf|\.nst|\.oab|\.ost|\.pst|\.rdp|\\+groups\.xml)$</field>
    </rule>
    <rule id="900246" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Suspicious Kerberos RC4 Ticket Encryption</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4769</field>
        <field name="win.eventdata.ticketOptions" negate="no" type="pcre2">(?i)0x40810000</field>
        <field name="win.eventdata.ticketEncryptionType" negate="no" type="pcre2">(?i)0x17</field>
        <field name="win.eventdata.serviceName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900247" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Important Scheduled Task Deleted/Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4699|4701</field>
        <field name="win.eventdata.taskName" negate="no" type="pcre2">(?i)\\+Windows\\+SystemRestore\\+SR|\\+Windows\\+Windows\ Defender\\+|\\+Windows\\+BitLocker|\\+Windows\\+WindowsBackup\\+|\\+Windows\\+WindowsUpdate\\+|\\+Windows\\+UpdateOrchestrator\\+Schedule|\\+Windows\\+ExploitGuard</field>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)4699</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.taskName" negate="yes" type="pcre2">(?i)\\+Windows\\+Windows\ Defender\\+</field>
    </rule>
    <rule id="900248" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
            <id>attack.t1027.005</id>
            <id>attack.t1485</id>
            <id>attack.t1553.002</id>
            <id>attack.s0195</id>
        </mitre>
        <description>Secure Deletion with SDelete</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656|4663|4658</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\.AAA|\.ZZZ)$</field>
    </rule>
    <rule id="900249" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.006</id>
        </mitre>
        <description>Unauthorized System Time Modification</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4616</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+VMware\\+VMware\ Tools\\+vmtoolsd\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+VBoxService\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+oobe\\+msoobe\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
        <field name="win.eventdata.subjectUserSid" negate="yes" type="pcre2">(?i)S\-1\-5\-19</field>
    </rule>
    <rule id="900250" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.persistence</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Remote Service Activity via SVCCTL Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)\\+.+\\+IPC\$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)svcctl</field>
        <field name="win.eventdata.accesses" negate="no" type="pcre2">(?i)WriteData</field>
    </rule>
    <rule id="900251" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
        </mitre>
        <description>SysKey Registry Keys Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656|4663</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)key</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:lsa\\+JD|lsa\\+GBG|lsa\\+Skew1|lsa\\+Data)$</field>
    </rule>
    <rule id="900252" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Sysmon Channel Reference Deletion</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4657</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)WINEVT\\+Publishers\\+\{5770385f\-c22a\-43e0\-bf4c\-06f5698ffbd9\}|WINEVT\\+Channels\\+Microsoft\-Windows\-Sysmon/Operational</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)Enabled</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)0</field>
    </rule>
    <rule id="900253" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Sysmon Channel Reference Deletion</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4663</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)WINEVT\\+Publishers\\+\{5770385f\-c22a\-43e0\-bf4c\-06f5698ffbd9\}|WINEVT\\+Channels\\+Microsoft\-Windows\-Sysmon/Operational</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)65536</field>
    </rule>
    <rule id="900254" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Tap Driver Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4697</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)tap0901</field>
    </rule>
    <rule id="900255" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Suspicious Teams Application Related ObjectAcess Event</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4663</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Teams\\+Cookies|\\+Microsoft\\+Teams\\+Local\ Storage\\+leveldb</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Teams\\+current\\+Teams\.exe</field>
    </rule>
    <rule id="900256" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Transferring Files with Credential Data via Network Shares</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)\\+mimidrv|\\+lsass|\\+windows\\+minidump\\+|\\+hiberfil|\\+sqldmpr|\\+sam|\\+ntds\.dit|\\+security</field>
    </rule>
    <rule id="900257" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1078</id>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>User Added to Local Administrator Group</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4732</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:Administr)</field>
        <field name="win.eventdata.targetSid" negate="no" type="pcre2">(?i)S\-1\-5\-32\-544</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900258" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4673</field>
        <field name="win.eventdata.service" negate="no" type="pcre2">(?i)LsaRegisterLogonProcess</field>
        <field name="full_log" negate="no" type="pcre2">(?i)0x8010000000000000</field>
    </rule>
    <rule id="900259" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>Local User Creation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4720</field>
    </rule>
    <rule id="900260" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Privileged System Service Operation - SeLoadDriverPrivilege</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4673</field>
        <field name="win.eventdata.privilegeList" negate="no" type="pcre2">(?i)SeLoadDriverPrivilege</field>
        <field name="win.eventdata.service" negate="no" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+Dism\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+rundll32\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+fltMC\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+HelpPane\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+mmc\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+wimserv\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+RuntimeBroker\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+SystemSettingsBroker\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft)</field>
    </rule>
    <rule id="900261" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1531</id>
        </mitre>
        <description>User Logoff Event</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4634|4647</field>
    </rule>
    <rule id="900262" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>VSSAudit Security Event Source Registration</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.auditSourceName" negate="no" type="pcre2">(?i)VSSAudit</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4904|4905</field>
    </rule>
    <rule id="900263" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusion List Modified</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4657</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+</field>
    </rule>
    <rule id="900264" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusion Reigstry Key - Write Access Requested</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)%%4417|%%4418</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4656|4663</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+</field>
    </rule>
    <rule id="900265" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusion Deleted</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4660</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+</field>
    </rule>
    <rule id="900266" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>T1047 Wmiprvse Wbemcomn DLL Hijack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5145</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\\+wbem\\+wbemcomn\.dll)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900267" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4662</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)WMI\ Namespace</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)subscription</field>
    </rule>
    <rule id="900268" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
        </mitre>
        <description>Locked Workstation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4800</field>
    </rule>
    <rule id="900269" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>stp.4u</id>
        </mitre>
        <description>Potential Access Token Abuse</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)9</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)Advapi</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)Negotiate</field>
        <field name="full_log" negate="no" type="pcre2">(?i)%%1833</field>
    </rule>
    <rule id="900270" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1078.001</id>
            <id>attack.t1078.002</id>
            <id>attack.t1078.003</id>
            <id>car.2016-04-005</id>
        </mitre>
        <description>Admin User Remote Logon</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)10</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)Negotiate</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:Admin)</field>
    </rule>
    <rule id="900271" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>DiagTrackEoP Default Login Username</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)9</field>
        <field name="full_log" negate="no" type="pcre2">(?i)thisisnotvaliduser</field>
    </rule>
    <rule id="900272" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A Member Was Added to a Security-Enabled Global Group</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4728|632</field>
    </rule>
    <rule id="900273" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A Member Was Removed From a Security-Enabled Global Group</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)633|4729</field>
    </rule>
    <rule id="900274" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.s0002</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Successful Overpass the Hash Attempt</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)9</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)seclogo</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)Negotiate</field>
    </rule>
    <rule id="900275" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Pass the Hash Activity 2</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.subjectUserSid" negate="no" type="pcre2">(?i)S\-1\-0\-0</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)3</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)NtLmSsp</field>
        <field name="win.eventdata.keyLength" negate="no" type="pcre2">(?i)0</field>
    </rule>
    <rule id="900276" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Pass the Hash Activity 2</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)9</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)seclogo</field>
    </rule>
    <rule id="900277" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Pass the Hash Activity 2</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)ANONYMOUS\ LOGON</field>
    </rule>
    <rule id="900278" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Scanner PoC for CVE-2019-0708 RDP RCE Vuln</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4625</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)AAAAAAA</field>
    </rule>
    <rule id="900279" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>car.2013-07-002</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>RDP Login from Localhost</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)10</field>
        <field name="win.eventdata.ipAddress" negate="no" type="pcre2">(?i)::1|127\.0\.0\.1</field>
    </rule>
    <rule id="900280" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>Remote WMI ActiveScriptEventConsumers</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)3</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:scrcons\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)0x3e7</field>
    </rule>
    <rule id="900281" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A Security-Enabled Global Group Was Deleted</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4730|634</field>
    </rule>
    <rule id="900282" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.credential_access</id>
            <id>attack.t1133</id>
            <id>attack.t1078</id>
            <id>attack.t1110</id>
        </mitre>
        <description>External Remote RDP Logon from Public IP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)\-</field>
    </rule>
    <rule id="900283" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.credential_access</id>
            <id>attack.t1133</id>
            <id>attack.t1078</id>
            <id>attack.t1110</id>
        </mitre>
        <description>External Remote SMB Logon from Public IP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)3</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)\-</field>
    </rule>
    <rule id="900284" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.t1078</id>
            <id>attack.t1190</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Failed Logon From Public IP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4625</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)\-</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
    </rule>
    <rule id="900285" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>KrbRelayUp Attack Pattern</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)3</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)Kerberos</field>
        <field name="win.eventdata.ipAddress" negate="no" type="pcre2">(?i)127\.0\.0\.1</field>
        <field name="win.eventdata.targetUserSid" negate="no" type="pcre2">(?i)^(?:S\-1\-5\-21\-)</field>
        <field name="win.eventdata.targetUserSid" negate="no" type="pcre2">(?i)(?:\-500)$</field>
    </rule>
    <rule id="900286" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550</id>
        </mitre>
        <description>Outgoing Logon with New Credentials</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)9</field>
    </rule>
    <rule id="900287" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>RottenPotato Like Attack Pattern</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)3</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)ANONYMOUS\ LOGON</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.ipAddress" negate="no" type="pcre2">(?i)127\.0\.0\.1|::1</field>
    </rule>
    <rule id="900288" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Successful Account Login Via WMI</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)4624</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
    </rule>
    <rule id="900289" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Windows Filtering Platform Blocked Connection From EDR Agent Binary</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5157</field>
        <field name="win.eventdata.application" negate="no" type="pcre2">(?i)(?:\\+AmSvc\.exe|\\+cb\.exe|\\+CETASvc\.exe|\\+CNTAoSMgr\.exe|\\+CrAmTray\.exe|\\+CrsSvc\.exe|\\+CSFalconContainer\.exe|\\+CSFalconService\.exe|\\+CybereasonAV\.exe|\\+CylanceSvc\.exe|\\+cyserver\.exe|\\+CyveraService\.exe|\\+CyvrFsFlt\.exe|\\+EIConnector\.exe|\\+elastic\-agent\.exe|\\+elastic\-endpoint\.exe|\\+EndpointBasecamp\.exe|\\+ExecutionPreventionSvc\.exe|\\+filebeat\.exe|\\+fortiedr\.exe|\\+hmpalert\.exe|\\+hurukai\.exe|\\+LogProcessorService\.exe|\\+mcsagent\.exe|\\+mcsclient\.exe|\\+MsMpEng\.exe|\\+MsSense\.exe|\\+Ntrtscan\.exe|\\+PccNTMon\.exe|\\+QualysAgent\.exe|\\+RepMgr\.exe|\\+RepUtils\.exe|\\+RepUx\.exe|\\+RepWAV\.exe|\\+RepWSC\.exe|\\+sedservice\.exe|\\+SenseCncProxy\.exe|\\+SenseIR\.exe|\\+SenseNdr\.exe|\\+SenseSampleUploader\.exe|\\+SentinelAgent\.exe|\\+SentinelAgentWorker\.exe|\\+SentinelBrowserNativeHost\.exe|\\+SentinelHelperService\.exe|\\+SentinelServiceHost\.exe|\\+SentinelStaticEngine\.exe|\\+SentinelStaticEngineScanner\.exe|\\+sfc\.exe|\\+sophos\ ui\.exe|\\+sophosfilescanner\.exe|\\+sophosfs\.exe|\\+sophoshealth\.exe|\\+sophosips\.exe|\\+sophosLivequeryservice\.exe|\\+sophosnetfilter\.exe|\\+sophosntpservice\.exe|\\+sophososquery\.exe|\\+sspservice\.exe|\\+TaniumClient\.exe|\\+TaniumCX\.exe|\\+TaniumDetectEngine\.exe|\\+TMBMSRV\.exe|\\+TmCCSF\.exe|\\+TmListen\.exe|\\+TmWSCSvc\.exe|\\+Traps\.exe|\\+winlogbeat\.exe|\\+WSCommunicator\.exe|\\+xagt\.exe)$</field>
    </rule>
    <rule id="900290" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Microsoft Defender Blocked from Loading Unsigned DLL</description>
        <options>no_full_log</options>
        <group>windows,security-mitigations,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)11|12</field>
        <field name="win.eventdata.processPath" negate="no" type="pcre2">(?i)(?:\\+MpCmdRun\.exe|\\+NisSrv\.exe)$</field>
    </rule>
    <rule id="900291" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Unsigned Binary Loaded From Suspicious Location</description>
        <options>no_full_log</options>
        <group>windows,security-mitigations,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)11|12</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+PerfLogs\\+|\\+Desktop\\+|\\+Downloads\\+|\\+AppData\\+Local\\+Temp\\+|C:\\+Windows\\+TEMP\\+</field>
    </rule>
    <rule id="900292" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1554</id>
        </mitre>
        <description>HybridConnectionManager Service Running</description>
        <options>no_full_log</options>
        <group>windows,microsoft-servicebus-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)40300|40301|40302</field>
        <field name="full_log" negate="no" type="pcre2">(?i)HybridConnection|sb://|servicebus\.windows\.net|HybridConnectionManage</field>
    </rule>
    <rule id="900293" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Application Installed</description>
        <options>no_full_log</options>
        <group>windows,shell-core,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)28115</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Zenmap|AnyDesk|wireshark|openvpn</field>
    </rule>
    <rule id="900294" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Application Installed</description>
        <options>no_full_log</options>
        <group>windows,shell-core,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)28115</field>
        <field name="full_log" negate="no" type="pcre2">(?i)zenmap\.exe|prokzult\ ad|wireshark|openvpn</field>
    </rule>
    <rule id="900295" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.001</id>
        </mitre>
        <description>Suspicious Rejected SMB Guest Logon From IP</description>
        <options>no_full_log</options>
        <group>windows,smbclient-security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)31017</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)</field>
        <field name="win.eventdata.serverName" negate="no" type="pcre2">(?i)^(?:\\+1)</field>
    </rule>
    <rule id="900296" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Sysmon Application Crashed</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Application\ Popup</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)26</field>
        <field name="win.eventdata.caption" negate="no" type="pcre2">(?i)sysmon64\.exe\ \-\ Application\ Error|sysmon\.exe\ \-\ Application\ Error</field>
    </rule>
    <rule id="900297" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>NTLMv1 Logon Between Client and Server</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)LsaSrv</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)6038|6039</field>
    </rule>
    <rule id="900298" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Active Directory Certificate Services Denied Certificate Enrollment Request</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-CertificationAuthority</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)53</field>
    </rule>
    <rule id="900299" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DHCP Server Loaded the CallOut DLL</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1033</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-DHCP\-Server</field>
    </rule>
    <rule id="900300" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DHCP Server Error Failed Loading the CallOut DLL</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1031|1032|1034</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-DHCP\-Server</field>
    </rule>
    <rule id="900301" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Potential CVE-2021-42287 Exploitation Attempt</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Directory\-Services\-SAM</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16990|16991</field>
    </rule>
    <rule id="900302" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Local Privilege Escalation Indicator TabTip</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-DistributedCOM</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)10001</field>
        <field name="full_log" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+Common\ Files\\+microsoft\ shared\\+ink\\+TabTip\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)2147943140</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\{054AAE20\-4BEA\-4347\-8A35\-64A533254A9D\}</field>
    </rule>
    <rule id="900303" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)104</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Eventlog</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)Microsoft\-Windows\-PowerShell/Operational</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)Microsoft\-Windows\-Sysmon/Operational</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)PowerShellCore/Operational</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)Security</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)Windows\ PowerShell</field>
    </rule>
    <rule id="900304" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Important Windows Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)104</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Eventlog</field>
        <field name="win.eventdata.channel" negate="no" type="pcre2">(?i)Microsoft\-Windows\-PowerShell/Operational|Microsoft\-Windows\-Sysmon/Operational|PowerShellCore/Operational|Security|System|Windows\ PowerShell</field>
    </rule>
    <rule id="900305" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Certificate Use With No Strong Mapping</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Kerberos\-Key\-Distribution\-Center</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)39|41</field>
    </rule>
    <rule id="900306" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>KDC RC4-HMAC Downgrade CVE-2022-37966</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)42</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Kerberos\-Key\-Distribution\-Center</field>
        <field name="win.system.level" negate="no" type="pcre2">(?i)2</field>
    </rule>
    <rule id="900307" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>No Suitable Encryption Key Found For Generating Kerberos Ticket</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Kerberos\-Key\-Distribution\-Center</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16|27</field>
    </rule>
    <rule id="900308" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Critical Hive In Suspicious Location Access Bits Cleared</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Kernel\-General</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Temp\\+SAM|\\+Temp\\+SECURITY</field>
    </rule>
    <rule id="900309" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Volume Shadow Copy Mount</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-Ntfs</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)98</field>
        <field name="win.eventdata.deviceName" negate="no" type="pcre2">(?i)HarddiskVolumeShadowCopy</field>
    </rule>
    <rule id="900310" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Usage of CVE_2021_34484 or CVE 2022_21919</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1511</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-User\ Profiles\ Service</field>
    </rule>
    <rule id="900311" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.resource_development</id>
            <id>attack.t1584</id>
        </mitre>
        <description>Windows Update Error</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Microsoft\-Windows\-WindowsUpdateClient</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16|20|24|213|217</field>
    </rule>
    <rule id="900312" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1210</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>Zerologon Exploitation Using Well-known Tools</description>
        <options>no_full_log</options>
        <group>system,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5805|5723</field>
        <field name="full_log" negate="no" type="pcre2">(?i)kali|mimikatz</field>
    </rule>
    <rule id="900313" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>Vulnerable Netlogon Secure Channel Connection Allowed</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)NetLogon</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5829</field>
    </rule>
    <rule id="900314" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1499.001</id>
        </mitre>
        <description>NTFS Vulnerability Exploitation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Ntfs</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)55</field>
        <field name="win.eventdata.origin" negate="no" type="pcre2">(?i)File\ System\ Driver</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)contains\ a\ corrupted\ file\ record</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)The\ name\ of\ the\ file\ is\ "\\+"</field>
    </rule>
    <rule id="900315" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)ADMIN\$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\.exe</field>
    </rule>
    <rule id="900316" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)%COMSPEC%</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900317" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell\ \-nop\ \-w\ hidden\ \-encodedcommand</field>
    </rule>
    <rule id="900318" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">IEX\ $New\-Object\ Net\.Webclient$\.DownloadString\('http://127\.0\.0\.1:</field>
    </rule>
    <rule id="900319" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Threat Detection Disabled - Service</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7036</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Windows\ Defender\ Antivirus\ Service|Service\ antivirus\ Microsoft\ Defender</field>
        <field name="full_log" negate="no" type="pcre2">(?i)stopped|arrГЄtГ©</field>
    </rule>
    <rule id="900320" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.execution</id>
            <id>attack.t1021.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>smbexec.py Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)BTOBTO</field>
    </rule>
    <rule id="900321" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.execution</id>
            <id>attack.t1021.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>smbexec.py Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\.bat\ \&amp;\ del\ |__output\ 2\^&gt;\^\&amp;1\ &gt;</field>
    </rule>
    <rule id="900322" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)clipboard\]::</field>
    </rule>
    <rule id="900323" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)"set</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="900324" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)readtoend</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i):system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
    </rule>
    <rule id="900325" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900326" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)environment|invoke|input</field>
    </rule>
    <rule id="900327" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\(Clipboard\|i</field>
    </rule>
    <rule id="900328" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)vbscript:createobject</field>
    </rule>
    <rule id="900329" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900330" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;set</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\{0\}|\{1\}|\{2\}|\{3\}|\{4\}|\{5\}</field>
    </rule>
    <rule id="900331" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>KrbRelayUp Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)KrbSCM</field>
    </rule>
    <rule id="900332" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
            <id>attack.t1569.002</id>
            <id>attack.s0005</id>
        </mitre>
        <description>Credential Dumping Tools Service Execution - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cachedump|dumpsvc|fgexec|gsecdump|mimidrv|pwdump|servpw</field>
    </rule>
    <rule id="900333" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\\+pipe\\+</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd|%COMSPEC%</field>
    </rule>
    <rule id="900334" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\.dll,a</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/p:</field>
    </rule>
    <rule id="900335" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)^(?:\\+127\.0\.0\.1\\+ADMIN\$\\+)</field>
    </rule>
    <rule id="900336" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Moriya Rootkit - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)ZzNetSvc</field>
    </rule>
    <rule id="900337" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PowerShell Scripts Installed as Services</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell|pwsh</field>
    </rule>
    <rule id="900338" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Anydesk Remote Access Software Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)AnyDesk\ Service</field>
    </rule>
    <rule id="900339" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>HackTool Service Registration or Execution</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045|7036</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)cachedump|DumpSvc|gsecdump|pwdump|UACBypassedService|WCE\ SERVICE|WCESERVICE|winexesvc</field>
    </rule>
    <rule id="900340" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>HackTool Service Registration or Execution</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045|7036</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)bypass</field>
    </rule>
    <rule id="900341" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>ProcessHacker Privilege Elevation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:ProcessHacker)</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)LocalSystem</field>
    </rule>
    <rule id="900342" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Remote Access Tool Services Have Been Installed - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045|7036</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)AmmyyAdmin|Atera|BASupportExpressSrvcUpdater|BASupportExpressStandaloneService|chromoting|GoToAssist|GoToMyPC|jumpcloud|LMIGuardianSvc|LogMeIn|monblanking|Parsec|RManService|RPCPerformanceService|RPCService|SplashtopRemoteService|SSUService|TeamViewer|TightVNC|vncserver|Zoho</field>
    </rule>
    <rule id="900343" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Sliver C2 Default Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)^[a-zA-Z]:\\+windows\\+temp\\+[a-zA-Z0-9]{10}\.exe</field>
    </rule>
    <rule id="900344" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Sliver C2 Default Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)Sliver|Sliver\ implant</field>
    </rule>
    <rule id="900345" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>Service Installed By Unusual Client - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.processId" negate="no" type="pcre2">(?i)0</field>
    </rule>
    <rule id="900346" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ \-nop\ |\ \-sta\ |\ \-w\ hidden\ |:\\+Temp\\+|\.downloadfile\(|\.downloadstring\(|\\+ADMIN\$\\+|\\+Perflogs\\+|\&amp;\&amp;</field>
    </rule>
    <rule id="900347" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Tap Driver Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)tap0901</field>
    </rule>
    <rule id="900348" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Uncommon Service Installation Image Path</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\\+\.\\+pipe|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900349" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Uncommon Service Installation Image Path</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ aQBlAHgA|\ aWV4I|\ IAB|\ JAB|\ PAA|\ SQBFAFgA|\ SUVYI</field>
        <field name="win.eventdata.imagePath" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Definition\ Updates\\+)</field>
    </rule>
    <rule id="900350" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Uncommon Service Installation Image Path</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ aQBlAHgA|\ aWV4I|\ IAB|\ JAB|\ PAA|\ SQBFAFgA|\ SUVYI</field>
        <field name="win.eventdata.imagePath" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+TEMP\\+thor10\-remote\\+thor64\.exe)</field>
    </rule>
    <rule id="900351" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Windows Service Terminated With Error</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7023</field>
    </rule>
    <rule id="900352" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>RTCore Suspicious Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)RTCore64</field>
    </rule>
    <rule id="900353" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Service Installation in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)Service\ Control\ Manager</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)7045</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+127\.0\.0\.1|\\+localhost</field>
        <field name="win.eventdata.serviceName" negate="yes" type="pcre2">(?i)Zoom\ Sharing\ Service</field>
        <field name="win.eventdata.imagePath" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Common\ Files\\+Zoom\\+Support\\+CptService\.exe</field>
    </rule>
    <rule id="900354" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Potential RDP Exploit CVE-2019-0708</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)56|50</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)TermDD</field>
    </rule>
    <rule id="900355" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Scheduled Task Executed From A Suspicious Location</description>
        <options>no_full_log</options>
        <group>windows,taskscheduler,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)129</field>
        <field name="full_log" negate="no" type="pcre2">(?i)C:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Users\\+Public\\+|C:\\+Temp\\+</field>
    </rule>
    <rule id="900356" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Scheduled Task Executed Uncommon LOLBIN</description>
        <options>no_full_log</options>
        <group>windows,taskscheduler,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)129</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+mspaint\.exe|\\+notepad\.exe|\\+regsvr32\.exe|\\+wscript\.exe)</field>
    </rule>
    <rule id="900357" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Important Scheduled Task Deleted</description>
        <options>no_full_log</options>
        <group>windows,taskscheduler,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)141</field>
        <field name="win.eventdata.taskName" negate="no" type="pcre2">(?i)\\+Windows\\+SystemRestore\\+SR|\\+Windows\\+Windows\ Defender\\+|\\+Windows\\+BitLocker|\\+Windows\\+WindowsBackup\\+|\\+Windows\\+WindowsUpdate\\+|\\+Windows\\+UpdateOrchestrator\\+|\\+Windows\\+ExploitGuard</field>
        <field name="win.eventdata.samAccountName" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.samAccountName" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="900358" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>Ngrok Usage with Remote Desktop Service</description>
        <options>no_full_log</options>
        <group>windows,terminalservices-localsessionmanager,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)21</field>
        <field name="full_log" negate="no" type="pcre2">(?i)16777216</field>
    </rule>
    <rule id="900359" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Grace Period Expired</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5101</field>
    </rule>
    <rule id="900360" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Access Detected via Attack Surface Reduction</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1121</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+asgard2\-agent\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+atiesrxx\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+CompatTelRunner\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+msiexec\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+nvwmi64\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+Taskmgr\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+msiexec\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+DriverStore\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+Installer\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900361" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1047</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PSExec and WMI Process Creations Block</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1121</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+wmiprvse\.exe|\\+psexesvc\.exe)$</field>
    </rule>
    <rule id="900362" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusions Added</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5007</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions</field>
    </rule>
    <rule id="900363" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exploit Guard Tamper</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5007</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Windows\ Defender\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+AllowedApplications\\+</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+PerfLogs\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900364" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exploit Guard Tamper</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5007</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Windows\ Defender\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+ProtectedFolders\\+</field>
    </rule>
    <rule id="900365" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Submit Sample Feature Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5007</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Real\-Time\ Protection\\+SubmitSamplesConsent\ =\ 0x0</field>
    </rule>
    <rule id="900366" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Windows Defender Malware Detection History Deletion</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1013</field>
    </rule>
    <rule id="900367" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Malware And PUA Scanning Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5010</field>
    </rule>
    <rule id="900368" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Defender AMSI Trigger Detected</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1116</field>
        <field name="full_log" negate="no" type="pcre2">(?i)AMSI</field>
    </rule>
    <rule id="900369" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Real-time Protection Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5001</field>
    </rule>
    <rule id="900370" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Real-Time Protection Failure/Restart</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)3002|3007</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)%%886</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)%%892</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)%%858</field>
    </rule>
    <rule id="900371" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Win Defender Restored Quarantine File</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1009</field>
    </rule>
    <rule id="900372" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Configuration Changes</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5007</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)(?:\\+Windows\ Defender\\+DisableAntiSpyware\ |\\+Windows\ Defender\\+Scan\\+DisableRemovableDriveScanning\ |\\+Windows\ Defender\\+Scan\\+DisableScanningMappedNetworkDrivesForFullScan\ |\\+Windows\ Defender\\+SpyNet\\+DisableBlockAtFirstSeen\ |\\+Real\-Time\ Protection\\+SpyNetReporting\ )</field>
    </rule>
    <rule id="900373" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Defender Tamper Protection Trigger</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5013</field>
        <field name="win.evendata.value" negate="no" type="pcre2">(?i)(?:\\+Windows\ Defender\\+DisableAntiSpyware|\\+Windows\ Defender\\+DisableAntiVirus|\\+Windows\ Defender\\+Scan\\+DisableArchiveScanning|\\+Windows\ Defender\\+Scan\\+DisableScanningNetworkFiles|\\+Real\-Time\ Protection\\+DisableRealtimeMonitoring|\\+Real\-Time\ Protection\\+DisableBehaviorMonitoring|\\+Real\-Time\ Protection\\+DisableIOAVProtection|\\+Real\-Time\ Protection\\+DisableScriptScanning)$</field>
    </rule>
    <rule id="900374" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Defender Threat Detected</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)1006|1015|1116|1117</field>
    </rule>
    <rule id="900375" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Virus Scanning Feature Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5012</field>
    </rule>
    <rule id="900376" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence</description>
        <options>no_full_log</options>
        <group>windows,wmi,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5861</field>
        <field name="full_log" negate="no" type="pcre2">(?i)ActiveScriptEventConsumer|CommandLineEventConsumer|CommandLineTemplate</field>
    </rule>
    <rule id="900377" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence</description>
        <options>no_full_log</options>
        <group>windows,wmi,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5861</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)5859</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)SCM\ Event\ Provider</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)select\ .+\ from\ MSFT_SCMEventLogEvent</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)S\-1\-5\-32\-544</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)Permanent</field>
    </rule>
    <rule id="900378" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1055.012</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.t1218.005</id>
        </mitre>
        <description>HackTool - CACTUSTORCH Remote Thread Creation</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+System32\\+cscript\.exe|\\+System32\\+wscript\.exe|\\+System32\\+mshta\.exe|\\+winword\.exe|\\+excel\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)\\+SysWOW64\\+</field>
        <field name="win.eventdata.startModule" negate="no" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900379" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055.001</id>
        </mitre>
        <description>HackTool - Potential CobaltStrike Process Injection</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.startAddress" negate="no" type="pcre2">(?i)(?:0B80|0C7C|0C88)$</field>
    </rule>
    <rule id="900380" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.005</id>
        </mitre>
        <description>Remote Thread Created In KeePass.EXE</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+KeePass\.exe)$</field>
    </rule>
    <rule id="900381" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
        </mitre>
        <description>Remote Thread Creation In Mstsc.Exe From Suspicious Location</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i):\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+PerfLogs\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
    </rule>
    <rule id="900382" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Attempt Via PowerShell Remote Thread</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
    </rule>
    <rule id="900383" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218.011</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Remote Thread Creation Via PowerShell In Uncommon Target</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+regsvr32\.exe)$</field>
    </rule>
    <rule id="900384" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.s0005</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Password Dumper Remote Thread in LSASS</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.startModule" negate="no" type="pcre2">(?i)</field>
    </rule>
    <rule id="900385" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Rare Remote Thread Creation By Uncommon Source Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+cscript\.exe|\\+cvtres\.exe|\\+defrag\.exe|\\+dnx\.exe|\\+esentutl\.exe|\\+excel\.exe|\\+expand\.exe|\\+find\.exe|\\+findstr\.exe|\\+forfiles\.exe|\\+gpupdate\.exe|\\+hh\.exe|\\+installutil\.exe|\\+lync\.exe|\\+makecab\.exe|\\+mDNSResponder\.exe|\\+monitoringhost\.exe|\\+msbuild\.exe|\\+mshta\.exe|\\+mspaint\.exe|\\+outlook\.exe|\\+ping\.exe|\\+provtool\.exe|\\+python\.exe|\\+regsvr32\.exe|\\+robocopy\.exe|\\+runonce\.exe|\\+sapcimc\.exe|\\+smartscreen\.exe|\\+spoolsv\.exe|\\+tstheme\.exe|\\+userinit\.exe|\\+vssadmin\.exe|\\+vssvc\.exe|\\+w3wp\.exe|\\+winscp\.exe|\\+winword\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="900386" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Remote Thread Creation By Uncommon Source Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+iexplore\.exe|\\+msiexec\.exe|\\+powerpnt\.exe|\\+schtasks\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+winlogon\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+services\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wininit\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+LogonUI\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+winlogon\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)4</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+schtasks\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+schtasks\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+conhost\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
    </rule>
    <rule id="900387" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Remote Thread Creation By Uncommon Source Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+iexplore\.exe|\\+msiexec\.exe|\\+powerpnt\.exe|\\+schtasks\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+internet\ explorer\\+iexplore\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)https://</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.checkpoint\.com/documents/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)SmartConsole_OLH/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)default\.htm\#cshid=</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+internet\ explorer\\+iexplore\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+CheckPoint\\+SmartConsole\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+SmartConsole\.exe</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+POWERPNT\.EXE)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
    </rule>
    <rule id="900388" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.003</id>
        </mitre>
        <description>Remote Thread Creation In Uncommon Target Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+calculator\.exe|\\+mspaint\.exe|\\+notepad\.exe|\\+ping\.exe|\\+sethc\.exe|\\+spoolsv\.exe|\\+wordpad\.exe|\\+write\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
    </rule>
    <rule id="900389" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.003</id>
        </mitre>
        <description>Remote Thread Creation In Uncommon Target Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+calculator\.exe|\\+mspaint\.exe|\\+notepad\.exe|\\+ping\.exe|\\+sethc\.exe|\\+spoolsv\.exe|\\+wordpad\.exe|\\+write\.exe)$</field>
        <field name="win.eventdata.startFunction" negate="yes" type="pcre2">(?i)EtwpNotificationThread</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)unknown\ process</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+VMware\\+VMware\ Tools\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.startFunction" negate="yes" type="pcre2">(?i)GetCommandLineW</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+notepad\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Xerox\\+XeroxPrintExperience\\+CommonFiles\\+XeroxPrintJobEventManagerService\.exe</field>
        <field name="win.eventdata.startFunction" negate="yes" type="pcre2">(?i)LoadLibraryW</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+spoolsv\.exe</field>
    </rule>
    <rule id="900390" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Remote Thread Creation Ttdinject.exe Proxy</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+ttdinject\.exe)$</field>
    </rule>
    <rule id="900391" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.s0139</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Hidden Executable In NTFS Alternate Data Stream</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=</field>
        <field name="win.eventdata.hashes" negate="yes" type="pcre2">(?i)IMPHASH=00000000000000000000000000000000</field>
    </rule>
    <rule id="900392" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Creation Of a Suspicious ADS File Outside a Browser Download</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\[ZoneTransfer\]\ \ ZoneId=3)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::Zone\.Identifier)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.exe|\.scr|\.bat|\.cmd|\.docx|\.hta|\.jse|\.lnk|\.pptx|\.ps|\.reg|\.sct|\.vb|\.wsc|\.wsf|\.xlsx</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.ScreenSketch_)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SnippingTool\\+SnippingTool\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Packages\\+Microsoft\.ScreenSketch_</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+TempState\\+Screenshot\ )</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.png:Zone\.Identifier)$</field>
    </rule>
    <rule id="900393" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.s0139</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>HackTool Named File Stream Created</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)bcca3c247b619dcd13c8cdff5f123932|3a19059bd7688cb88e70005f18efc439|bf6223a49e45d99094406777eb6004ba|0c106686a31bfe2ba931ae1cf6e9dbc6|0d1447d4b3259b3c2a1d4cfb7ece13c3|1b0369a1e06271833f78ffa70ffb4eaf|4c1b52a19748428e51b14c278d0f58e3|4d927a711f77d62cebd4f322cb57ec6f|66ee036df5fc1004d9ed5e9a94a1086a|672b13f4a0b6f27d29065123fe882dfc|6bbd59cea665c4afcc2814c1327ec91f|725bb81dc24214f6ecacc0cfb36ad30d|9528a0e91e28fbb88ad433feabca2456|9da6d5d77be11712527dcab86df449a3|a6e01bc1ab89f8d91d9eab72032aae88|b24c5eddaea4fe50c6a96a2a133521e4|d21bbc50dcc169d7b4d0f01962793154|fcc251cceae90d22c392215cc9a2d5d6|23867a89c2b8fc733be6cf5ef902f2d1|a37ff327f8d48e8a4d2f757e1b6e70bc|f9a28c458284584a93b14216308d31bd|6118619783fc175bc7ebecff0769b46e|959a83047e80ab68b368fdb3f4c6e4ea|563233bfa169acc7892451f71ad5850a|87575cb7a0e0700eb37f2e3668671a08|13f08707f759af6003837a150a371ba1|1781f06048a7e58b323f0b9259be798b|233f85f2d4bc9d6521a6caae11a1e7f5|24af2584cbf4d60bbe5c6d1b31b3be6d|632969ddf6dbf4e0f53424b75e4b91f2|713c29b396b907ed71a72482759ed757|749a7bb1f0b4c4455949c0b2bf7f9e9f|8628b2608957a6b0c6330ac3de28ce2e|8b114550386e31895dfab371e741123d|94cb940a1a6b65bed4d5a8f849ce9793|9d68781980370e00e0bd939ee5e6c141|b18a1401ff8f444056d29450fbc0a6ce|cb567f9498452721d77a451374955f5f|730073214094cd328547bf1f72289752|17b461a082950fc6332228572138b80c|dc25ee78e2ef4d36faa0badf1e7461c9|819b19d53ca6736448f9325a85736792|829da329ce140d873b4a8bde2cbfaa7e|c547f2e66061a8dffb6f5a3ff63c0a74|0588081ab0e63ba785938467e1b10cca|0d9ec08bac6c07d9987dfd0f1506587c|bc129092b71c89b4d4c8cdf8ea590b29|4da924cf622d039d58bce71cdf05d242|e7a3a5c377e2d29324093377d7db1c66|9a9dbec5c62f0380b4fa5fd31deffedf|af8a3976ad71e5d5fdfb67ddb8dadfce|0c477898bbf137bbd6f2a54e3b805ff4|0ca9f02b537bcea20d4ea5eb1a9fe338|3ab3655e5a14d4eefc547f4781bf7f9e|e6f9d5152da699934b30daab206471f6|3ad59991ccf1d67339b319b15a41b35d|ffdd59e0318b85a3e480874d9796d872|0cf479628d7cc1ea25ec7998a92f5051|07a2d4dcbd6cb2c6a45e6b101f0b6d51|d6d0f80386e1380d05cb78e871bc72b1|38d9e015591bbfd4929e0d0f47fa0055|0e2216679ca6e1094d63322e3412d650|ada161bf41b8e5e9132858cb54cab5fb|2a1bc4913cd5ecb0434df07cb675b798|11083e75553baae21dc89ce8f9a195e4|a23d29c9e566f2fa8ffbb79267f5df80|4a07f944a83e8a7c2525efa35dd30e2f|767637c23bb42cd5d7397cf58b0be688|14c4e4c72ba075e9069ee67f39188ad8|3c782813d4afce07bbfc5a9772acdbdc|7d010c6bb6a3726f327f7e239166d127|89159ba4dd04e4ce5559f132a9964eb3|6f33f4a5fc42b8cec7314947bd13f30f|5834ed4291bdeb928270428ebbaf7604|5a8a8a43f25485e7ee1b201edcbc7a38|dc7d30b90b2d8abf664fbed2b1b59894|41923ea1f824fe63ea5beb84db7a3e74|3de09703c8e79ed2ca3f01074719906b|a53a02b997935fd8eedcb5f7abab9b9f|e96a73c7bf33a464c510ede582318bf2|32089b8851bbf8bc2d014e9f37288c83|09D278F9DE118EF09163C6140255C690|03866661686829d806989e2fc5a72606|e57401fbdadcd4571ff385ab82bd5d6d|84B763C45C0E4A3E7CA5548C710DB4EE|19584675d94829987952432e018d5056|330768a4f172e10acb6287b87289d83b|885c99ccfbe77d1cbfcb9c4e7c1a3313|22a22bc9e4e0d2f189f1ea01748816ac|7fa30e6bb7e8e8a69155636e50bf1b28|96df3a3731912449521f6f8d183279b1|7e6cf3ff4576581271ac8a313b2aab46|51791678f351c03a0eb4e2a7b05c6e17|25ce42b079282632708fc846129e98a5|021bcca20ba3381b11bdde26b4e62f20|59223b5f52d8799d38e0754855cbdf42|81e75d8f1d276c156653d3d8813e4a43|17244e8b6b8227e57fe709ccad421420|5b76da3acdedc8a5cdf23a798b5936b4|cb2b65bb77d995cc1c0e5df1c860133c|40445337761d80cf465136fafb1f63e6|8a790f401b29fa87bc1e56f7272b3aa6</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932|IMPHASH=3A19059BD7688CB88E70005F18EFC439|IMPHASH=bf6223a49e45d99094406777eb6004ba|IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6|IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3|IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF|IMPHASH=4C1B52A19748428E51B14C278D0F58E3|IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F|IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A|IMPHASH=672B13F4A0B6F27D29065123FE882DFC|IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F|IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D|IMPHASH=9528A0E91E28FBB88AD433FEABCA2456|IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3|IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88|IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4|IMPHASH=D21BBC50DCC169D7B4D0F01962793154|IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6|IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1|IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC|IMPHASH=F9A28C458284584A93B14216308D31BD|IMPHASH=6118619783FC175BC7EBECFF0769B46E|IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA|IMPHASH=563233BFA169ACC7892451F71AD5850A|IMPHASH=87575CB7A0E0700EB37F2E3668671A08|IMPHASH=13F08707F759AF6003837A150A371BA1|IMPHASH=1781F06048A7E58B323F0B9259BE798B|IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5|IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D|IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2|IMPHASH=713C29B396B907ED71A72482759ED757|IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F|IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E|IMPHASH=8B114550386E31895DFAB371E741123D|IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793|IMPHASH=9D68781980370E00E0BD939EE5E6C141|IMPHASH=B18A1401FF8F444056D29450FBC0A6CE|IMPHASH=CB567F9498452721D77A451374955F5F|IMPHASH=730073214094CD328547BF1F72289752|IMPHASH=17B461A082950FC6332228572138B80C|IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9|IMPHASH=819B19D53CA6736448F9325A85736792|IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E|IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74|IMPHASH=0588081AB0E63BA785938467E1B10CCA|IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C|IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29|IMPHASH=4DA924CF622D039D58BCE71CDF05D242|IMPHASH=E7A3A5C377E2D29324093377D7DB1C66|IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF|IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE|IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4|IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338|IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E|IMPHASH=E6F9D5152DA699934B30DAAB206471F6|IMPHASH=3AD59991CCF1D67339B319B15A41B35D|IMPHASH=FFDD59E0318B85A3E480874D9796D872|IMPHASH=0CF479628D7CC1EA25EC7998A92F5051|IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51|IMPHASH=D6D0F80386E1380D05CB78E871BC72B1|IMPHASH=38D9E015591BBFD4929E0D0F47FA0055|IMPHASH=0E2216679CA6E1094D63322E3412D650|IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB|IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798|IMPHASH=11083E75553BAAE21DC89CE8F9A195E4|IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80|IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F|IMPHASH=767637C23BB42CD5D7397CF58B0BE688|IMPHASH=14C4E4C72BA075E9069EE67F39188AD8|IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC|IMPHASH=7D010C6BB6A3726F327F7E239166D127|IMPHASH=89159BA4DD04E4CE5559F132A9964EB3|IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F|IMPHASH=5834ED4291BDEB928270428EBBAF7604|IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38|IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894|IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74|IMPHASH=3DE09703C8E79ED2CA3F01074719906B|IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F|IMPHASH=E96A73C7BF33A464C510EDE582318BF2|IMPHASH=32089B8851BBF8BC2D014E9F37288C83|IMPHASH=09D278F9DE118EF09163C6140255C690|IMPHASH=03866661686829d806989e2fc5a72606|IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d|IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE|IMPHASH=19584675D94829987952432E018D5056|IMPHASH=330768A4F172E10ACB6287B87289D83B|IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313|IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC|IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28|IMPHASH=96DF3A3731912449521F6F8D183279B1|IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46|IMPHASH=51791678F351C03A0EB4E2A7B05C6E17|IMPHASH=25CE42B079282632708FC846129E98A5|IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20|IMPHASH=59223B5F52D8799D38E0754855CBDF42|IMPHASH=81E75D8F1D276C156653D3D8813E4A43|IMPHASH=17244E8B6B8227E57FE709CCAD421420|IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4|IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C|IMPHASH=40445337761D80CF465136FAFB1F63E6|IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6</field>
    </rule>
    <rule id="900394" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Exports Registry Key To an Alternate Data Stream</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regedit\.exe)$</field>
    </rule>
    <rule id="900395" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Unusual File Download from Direct IP Address</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.ps1:Zone|\.bat:Zone|\.exe:Zone|\.vbe:Zone|\.vbs:Zone|\.dll:Zone|\.one:Zone|\.cmd:Zone|\.hta:Zone|\.xll:Zone|\.lnk:Zone</field>
    </rule>
    <rule id="900396" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Suspicious Winget Package Installation</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\[ZoneTransfer\]\ \ ZoneId=3)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)://1|://2|://3|://4|://5|://6|://7|://8|://9</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::Zone\.Identifier)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+WinGet\\+</field>
    </rule>
    <rule id="900397" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious File Download From ZIP TLD</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\.zip/</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.bat:Zone|\.dat:Zone|\.dll:Zone|\.doc:Zone|\.docm:Zone|\.exe:Zone|\.hta:Zone|\.pptm:Zone|\.ps1:Zone|\.rar:Zone|\.rtf:Zone|\.sct:Zone|\.vbe:Zone|\.vbs:Zone|\.ws:Zone|\.wsf:Zone|\.xll:Zone|\.xls:Zone|\.xlsm:Zone|\.zip:Zone</field>
    </rule>
    <rule id="900398" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query for Anonfiles.com Domain - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.anonfiles\.com</field>
    </rule>
    <rule id="900399" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>AppX Package Installation Attempts Via AppInstaller.EXE</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.DesktopAppInstaller_)</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppInstaller\.exe)$</field>
    </rule>
    <rule id="900400" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Cloudflared Tunnels Related DNS Requests</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.v2\.argotunnel\.com|protocol\-v2\.argotunnel\.com|trycloudflare\.com|update\.argotunnel\.com)$</field>
    </rule>
    <rule id="900401" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>DNS Query To Devtunnels Domain</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.devtunnels\.ms)$</field>
    </rule>
    <rule id="900402" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
        </mitre>
        <description>DNS Server Discovery Via LDAP Query</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:_ldap\.)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)&lt;unknown\ process&gt;</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900403" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
        </mitre>
        <description>DNS Server Discovery Via LDAP Query</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:_ldap\.)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WindowsAzure\\+GuestAgent)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
    </rule>
    <rule id="900404" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1554</id>
        </mitre>
        <description>DNS HybridConnectionManager Service Bus</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)servicebus\.windows\.net</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)HybridConnectionManager</field>
    </rule>
    <rule id="900405" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:aaa\.stage\.|post\.1)</field>
    </rule>
    <rule id="900406" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.stage\.123456\.</field>
    </rule>
    <rule id="900407" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To MEGA Hosting Website</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)userstorage\.mega\.co\.nz</field>
    </rule>
    <rule id="900408" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1056</id>
        </mitre>
        <description>DNS Query Request To OneLaunch Update Service</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)update\.onelaunch\.com</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OneLaunch\.exe)$</field>
    </rule>
    <rule id="900409" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>DNS Query Request By Regsvr32.EXE</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
    </rule>
    <rule id="900410" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>DNS Query To Remote Access Software Domain From Non-Browser App</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:agent\.jumpcloud\.com|agentreporting\.atera\.com|ammyy\.com|api\.parsec\.app|api\.playanext\.com|api\.splashtop\.com|app\.atera\.com|assist\.zoho\.com|authentication\.logmeininc\.com|beyondtrustcloud\.com|cdn\.kaseya\.net|client\.teamviewer\.com|comserver\.corporate\.beanywhere\.com|control\.connectwise\.com|downloads\.zohocdn\.com|dwservice\.net|express\.gotoassist\.com|getgo\.com|integratedchat\.teamviewer\.com|join\.zoho\.com|kickstart\.jumpcloud\.com|license\.bomgar\.com|logmein\-gateway\.com|logmein\.com|logmeincdn\.http\.internapcdn\.net|n\-able\.com|net\.anydesk\.com|netsupportsoftware\.com|parsecusercontent\.com|pubsub\.atera\.com|relay\.kaseya\.net|relay\.screenconnect\.com|relay\.splashtop\.com|remotedesktop\-pa\.googleapis\.com|remoteutilities\.com|secure\.logmeinrescue\.com|services\.vnc\.com|static\.remotepc\.com|swi\-rc\.com|swi\-tc\.com|telemetry\.servers\.qetqo\.com|tmate\.io|zohoassist\.com)$</field>
    </rule>
    <rule id="900411" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>DNS Query To Remote Access Software Domain From Non-Browser App</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.rustdesk\.com)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:rs\-)</field>
    </rule>
    <rule id="900412" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>DNS Query To Remote Access Software Domain From Non-Browser App</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsSense\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+BraveSoftware\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Maxthon\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+Opera\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Vivaldi\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Tor\ Browser\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Waterfox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+midori\-ng\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Midori\ Next\ Generation\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+slimbrowser\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Flock\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Flock\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Phoebe\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Phoebe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+falkon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+avant\.exe)$</field>
    </rule>
    <rule id="900413" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1590</id>
        </mitre>
        <description>Suspicious DNS Query for IP Lookup Service APIs</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)www\.ip\.cn|l2\.io</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)api\.2ip\.ua|api\.bigdatacloud\.net|api\.ipify\.org|bot\.whatismyipaddress\.com|canireachthe\.net|checkip\.amazonaws\.com|checkip\.dyndns\.org|curlmyip\.com|db\-ip\.com|edns\.ip\-api\.com|eth0\.me|freegeoip\.app|geoipy\.com|getip\.pro|icanhazip\.com|ident\.me|ifconfig\.io|ifconfig\.me|ip\-api\.com|ip\.360\.cn|ip\.anysrc\.net|ip\.taobao\.com|ip\.tyk\.nu|ipaddressworld\.com|ipapi\.co|ipconfig\.io|ipecho\.net|ipinfo\.io|ipip\.net|ipof\.in|ipv4\.icanhazip\.com|ipv4bot\.whatismyipaddress\.com|ipv6\-test\.com|ipwho\.is|jsonip\.com|myexternalip\.com|seeip\.org|wgetip\.com|whatismyip\.akamai\.com|whois\.pconline\.com\.cn|wtfismyip\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900414" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>TeamViewer Domain Query By Non-TeamViewer Application</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)taf\.teamviewer\.com|udp\.ping\.teamviewer\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)TeamViewer</field>
    </rule>
    <rule id="900415" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.003</id>
        </mitre>
        <description>DNS Query Tor .Onion Address - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.onion</field>
    </rule>
    <rule id="900416" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To Ufile.io</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)ufile\.io</field>
    </rule>
    <rule id="900417" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>DNS Query To Visual Studio Code Tunnels Domain</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.tunnels\.api\.visualstudio\.com)$</field>
    </rule>
    <rule id="900418" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Malicious Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=5be61a24f50eb4c94d98b8a82ef58dcf|MD5=d70a80fc73dd43469934a7b1cc623c76|MD5=3b71eab204a5f7ed77811e41fed73105|MD5=528ce5ce19eb34f401ef024de7ddf222|MD5=ae548418b491cd3f31618eb9e5730973|MD5=72f53f55898548767e0276c472be41e8|MD5=508faa4647f305a97ed7167abc4d1330|MD5=ed2b653d55c03f0bffa250372d682b75|MD5=0d2ba47286f1c68e87622b3a16bf9d92|MD5=3164bd6c12dd0fe1bdf3b833d56323b9|MD5=70fd7209ce5c013a1f9e699b5cc86cdc|MD5=c71be7b112059d2dc84c0f952e04e6cc|MD5=acac842a46f3501fe407b1db1b247a0b|MD5=01c2e4d8234258451083d6ce4e8910b7|MD5=c8541a9cef64589593e999968a0385b9|MD5=e172a38ade3aa0a2bc1bf9604a54a3b5|MD5=6fcf56f6ca3210ec397e55f727353c4a|MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16|MD5=07056573d464b0f5284f7e3acedd4a3f|MD5=c7b7f1edb9bbef174e6506885561d85d|MD5=d5918d735a23f746f0e83f724c4f26e5|MD5=84763d8ca9fe5c3bff9667b2adf667de|MD5=fb593b1f1f80d20fc7f4b818065c64b6|MD5=909f3fc221acbe999483c87d9ead024a|MD5=e29f6311ae87542b3d693c1f38e4e3ad|MD5=aeb0801f22d71c7494e884d914446751|MD5=3f11a94f1ac5efdd19767c6976da9ba4|MD5=be6318413160e589080df02bb3ca6e6a|MD5=0b311af53d2f4f77d30f1aed709db257|MD5=d075d56dfce6b9b13484152b1ef40f93|MD5=27384ec4c634701012a2962c30badad2|MD5=5eb2c576597dd21a6b44557c237cf896|MD5=f56db4eba3829c0918413b5c0b42f00f|MD5=e27b2486aa5c256b662812b465b6036c|MD5=db86dfd7aefbb5be6728a63461b0f5f3|MD5=04a88f5974caa621cee18f34300fc08a|MD5=5129d8fd53d6a4aba81657ab2aa5d243|MD5=cd2c641788d5d125c316ed739c69bb59|MD5=7073cd0085fcba1cd7d3568f9e6d652c|MD5=24f0f2b4b3cdae11de1b81c537df41c7|MD5=88bea56ae9257b40063785cf47546024|MD5=63060b756377fce2ce4ab9d079ca732f|MD5=50b39072d0ee9af5ef4824eca34be6e3|MD5=57c18a8f5d1ba6d015e4d5bc698e3624|MD5=7d26985a5048bad57d9c223362f3d55c|MD5=ba54a0dbe2685e66e21d41b4529b3528|MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11|MD5=b52f51bbe6b49d0b475d943c29c4d4cb|MD5=a837302307dace2a00d07202b661bce2|MD5=78a122d926ccc371d60c861600c310f3|MD5=bdb305aa0806f8b38b7ce43c927fe919|MD5=27053e964667318e1b370150cbca9138|MD5=6a4fbcfb44717eae2145c761c1c99b6a|MD5=d13c1b76b4a1ca3ff5ab63678b51df6d|MD5=6a066d2be83cf83f343d0550b0b8f206|MD5=7108b0d4021af4c41de2c223319cd4c1|MD5=1cd158a64f3d886357535382a6fdad75|MD5=e939448b28a4edc81f1f974cebf6e7d2|MD5=4198d3db44d7c4b3ba9072d258a4fc2d|MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20|MD5=30ca3cc19f001a8f12c619daa8c6b6e3|MD5=fe9004353b25640f6a879e57f07122d7|MD5=06c7fcf3523235cf52b3eee083ec07b2|MD5=364605ad21b9275681cffef607fac273|MD5=968ddb06af90ef83c5f20fbdd4eee62e|MD5=ba50bd645d7c81416bb26a9d39998296|MD5=29e03f4811b64969e48a99300978f58c|MD5=b0770094c3c64250167b55e4db850c04|MD5=40b968ecdbe9e967d92c5da51c390eee|MD5=b6b530dd25c5eb66499968ec82e8791e|MD5=f209cb0e468ca0b76d879859d5c8c54e|MD5=76f8607fc4fb9e828d613a7214436b66|MD5=4b058945c9f2b8d8ebc485add1101ba5|MD5=faae7f5f69fde12303dd1c0c816b72b7|MD5=89d294ef7fefcdf1a6ca0ab96a856f57|MD5=ef0e1725aaf0c6c972593f860531a2ea|MD5=bbdbffebfc753b11897de2da7c9912a5|MD5=5ebfc0af031130ba9de1d5d3275734b3|MD5=22949977ce5cd96ba674b403a9c81285|MD5=77cfd3943cc34d9f5279c330cd8940bc|MD5=311de109df18e485d4a626b5dbe19bc6|MD5=2730cc25ad385acc7213a1261b21c12d|MD5=87dc81ebe85f20c1a7970e495a778e60|MD5=154b45f072fe844676e6970612fd39c7|MD5=5a4fe297c7d42539303137b6d75b150d|MD5=d6a1dd7b2c06f058b408b3613c13d413|MD5=a6e9d6505f6d2326a8a9214667c61c67|MD5=7fad9f2ef803496f482ce4728578a57a|MD5=5076fba3d90e346fd17f78db0a4aa12c|MD5=79df0eabbf2895e4e2dae15a4772868c|MD5=14580bd59c55185115fd3abe73b016a2|MD5=1f2888e57fdd6aee466962c25ba7d62d|MD5=5e9231e85cecfc6141e3644fda12a734|MD5=dc564bac7258e16627b9de0ce39fae25|MD5=4e4c068c06331130334f23957fca9e3c|MD5=1ee9f6326649cd23381eb9d7dfdeddf7|MD5=4e1f656001af3677856f664e96282a6f|MD5=36f44643178c505ea0384e0fb241e904|MD5=6b480fac7caca2f85be9a0cfe79aedfc|MD5=c1ab425977d467b64f437a6c5ad82b44|MD5=fe508caa54ffeb2285d9f00df547fe4a|MD5=d3af70287de8757cebc6f8d45bb21a20|MD5=990b949894b7dc82a8cf1131b063cb1a|MD5=c62209b8a5daf3f32ad876ad6cefda1b|MD5=c159fb0f345a8771e56aab8e16927361|MD5=19b15eeccab0752c6793f782ca665a45|MD5=1d51029dfbd616bf121b40a0d1efeb10|MD5=157a22689629ec876337f5f9409918d5|MD5=3dd829fb27353622eff34be1eabb8f18|MD5=8636fe3724f2bcba9399daffd6ef3c7e|MD5=3d0b3e19262099ade884b75ba86ca7e8|MD5=97539c78d6e2b5356ce79e40bcd4d570|MD5=0308b6888e0f197db6704ca20203eee4|MD5=091a6bd4880048514c5dd3bede15eba5|MD5=7e92f98b809430622b04e88441b2eb04|MD5=bb5bda8889d8d27ef984dbd6ad82c946|MD5=b76aee508f68b5b6dccd6e1f66f4cf8b|MD5=a822b9e6eedf69211013e192967bf523|MD5=df52f8a85eb64bc69039243d9680d8e4|MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a|MD5=44857ca402a15ab51dc5afe47abdfa44|MD5=f9844524fb0009e5b784c21c7bad4220|MD5=d34b218c386bfe8b1f9c941e374418d7|MD5=0ca010a32a9b0aeae1e46d666b83b659|MD5=93496a436c5546156a69deb255a9fed0|MD5=1cd5e231064e03c596e819b6ff48daf9|MD5=70a71fe86df717ac59dbf856d7ac5789|MD5=a33089d4e50f7d2ea8b52ca95d26ebf3|MD5=e0cc9b415d884f85c45be145872892b8|MD5=a42249a046182aaaf3a7a7db98bfa69d|MD5=c5ae6ca044bd03c3506c132b033be1dc|MD5=7ebe606acd81abf1f8cb0767c974164b|MD5=b5dcc869a91efcc6e8ea0c3c07605d63|MD5=62c18d61ed324088f963510bae43b831|MD5=093a2a635c3a27aac50efd6463f4efa1|MD5=28102acca39ad0199f262ba9958be3f4|MD5=650ef9dd70cb192027e536754d6e0f63|MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44|MD5=6771b13a53b9c7449d4891e427735ea2|MD5=072ba2309b825ce1dba37d8d924ea8ed|MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb|MD5=1325ec39e98225e487b40043faee8052|MD5=4484f4007de2c3ee4581a2cff77ca3b4|MD5=a236e7d654cd932b7d11cb604629a2d0|MD5=17509f0a98dc5c5d52c3f9ac1428a21b|MD5=840a5edf2534dd23a082cf7b28cbfc4d|MD5=77a7ed4798d02ef6636cd0fd07fc382a|MD5=a9df5964635ef8bd567ae487c3d214c4|MD5=8b75047199825c8e62fdcc1c915db8bd|MD5=d416494232c4197cb36a914df2e17677|MD5=4cf14a96485a1270fed97bb8000e4f86|MD5=35e512f9bedc89dca5ce81f35820714c|MD5=40f35792e7565aa047796758a3ce1b77|MD5=f7f31bccc9b7b2964ac85106831022b1|MD5=26aedc10d4215ba997495d3a68355f4a|MD5=10f3679384a03cb487bda9621ceb5f90|MD5=80219fb6b5954c33e16bac5ecdac651b|MD5=cee36b5c6362993fa921435979bfbe4a|MD5=e37a08f516b8a7ca64163f5d9e68fe5a|MD5=49518f7375a5f995ebe9423d8f19cfe4|MD5=920df6e42cf91bbe19707f5a86e3c5c5|MD5=2ec877e425bd7eddb663627216e3491e|MD5=550b7991d93534bc510bc4f237155a7a|MD5=98d53f6b3bec0a3417a04fbb9e17fa06|MD5=13a57a4ef721440c7c9208b51f7c05de|MD5=c5fc3605194e033bdf3781ff2adaeb61|MD5=6e625ec04c20a9dbd48c7060efbf5e92|MD5=0b9b78d1281c7d4ab50497cf6ea7452a|MD5=4e906fcb13e2793c98f47291fd69391b|MD5=2bb353891d65c9e267eb98a3a2b694c3|MD5=7d86cdda7f49f91fdb69901a002b34e7|MD5=f69b06ca7c34d16f26ea1c6861edf62a|MD5=ee6b1a79cb6641aa44c762ee90786fe0|MD5=1fc7aeeff3ab19004d2e53eae8160ab1|MD5=24d3ea54f25e32832ac20335a1ce1062|MD5=c94f405c5929cfcccc8ad00b42c95083|MD5=b164daf106566f444dfb280d743bc2f7|MD5=93130909e562925597110a617f05e2a9|MD5=f589d4bf547c140b6ec8a511ea47c658|MD5=bf445ac375977ecf551bc2a912c58e8a|MD5=629ee55e4b5a225d048fbcd5f0a1d18b|MD5=0023ca0ca16a62d93ef51f3df98b2f94|MD5=a3d69c7e24300389b56782aa63b0e357|MD5=cbd8d370462503508e44dba023bdf9bc|MD5=67daa04716803a15fc11c9e353d77c2f|MD5=c9d4214c850e0cedf033dc8f0cd3aace|MD5=bd5b0514f3b40f139d8079138d01b5f6|MD5=19bdd9b799e3c2c54c0d7fff68b31c20|MD5=f242cffd9926c0ccf94af3bf16b6e527|MD5=5aeab9427d85951def146b4c0a44fc63|MD5=40170485cca576adb5266cf5b0d3b0bd|MD5=c277c4386a78fae1b7e17eaecf4f472b|MD5=58c37866cbc3d1338e4fc58ada924ffe|MD5=0f16a43f7989034641fd2de3eb268bf1|MD5=0ae30291c6cbfa7be39320badd6e8de0|MD5=05dd59bd4f175304480affd8f1305c37|MD5=f838f4eb36f1e7036238776c7a70f0b0|MD5=85093bb9f027027c2c61aee50796de30|MD5=ae338d91d1b05a72559b7f6ed717362d|MD5=bd91787b5dcb2189b856804e85dfa1d9|MD5=6b3c1511e12f4d27a4ea3b18020d7b84|MD5=97264fd62d4907bdac917917a07b3b7a|MD5=6ececf26ff8b03ed7ffbddadec9a9dab|MD5=47e6ac52431ca47da17248d80bf71389|MD5=eb57f03b7603f0b235af62e8cd5be8c2|MD5=e1a9aa4c14669b1fb1f67a7266f87e82|MD5=29047f0b7790e524b09a06852d31a117|MD5=4dd6250eb2d368f500949952eb013964|MD5=fb7c61ef427f9b2fdff3574ee6b1819b|MD5=844af8c877f5da723c1b82cf6e213fc1|MD5=e39152eadd76751b1d7485231b280948|MD5=ac6e29f535b2c42999c50d2fc32f2c9c|MD5=2406ea37152d2154be3fef6d69ada2c6|MD5=0ea8389589c603a8b05146bd06020597|MD5=754e21482baf18b8b0ed0f4be462ba03|MD5=c4a517a02ba9f6eac5cf06e3629cc076|MD5=32282e07db321e8d7849f2287bb6a14f|MD5=32b67a6cd6dd998b9f563ed13d54a8bc|MD5=3359e1d4244a7d724949c63e89689ef8|MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0|MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6|MD5=a90236e4962620949b720f647a91f101|MD5=ccde8c94439f9fc9c42761e4b9a23d97|MD5=68caf620ef8deaf06819cf8c80d3367b|MD5=5fec28e8f4f76e5ede24beb32a32b9d7|MD5=e8eac6642b882a6196555539149c73f2|MD5=aa98b95f5cbae8260122de06a215ee10|MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80|MD5=abc168fdca7169bf9dc40cec9761018d|MD5=7f9309f5e4defec132b622fadbcad511|MD5=4748696211bd56c2d93c21cab91e82a5|MD5=48394dce30bb8da5ae089cb8f41b86dc|MD5=65f800e1112864bf41eb815649f428d5|MD5=bd25be845c151370ff177509d95d5add|MD5=a37ed7663073319d02f2513575a22995|MD5=2c39f6172fbc967844cac12d7ab2fa55|MD5=491aec2249ad8e2020f9f9b559ab68a8|MD5=1e0eb80347e723fa31fce2abb0301d44|MD5=a26363e7b02b13f2b8d697abb90cd5c3|MD5=4118b86e490aed091b1a219dba45f332|MD5=6d131a7462e568213b44ef69156f10a5|MD5=10c2ea775c9e76e7774ab89e38f38287|SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79|SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23|SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe|SHA1=af42afda54d150810a60baa7987f9f09d49d1317|SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7|SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462|SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7|SHA1=e730eb971ecb493b69de2308b6412836303f733a|SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca|SHA1=5fef884a901e81ac173d63ade3f5c51694decf74|SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc|SHA1=6451522b1fb428e549976d0742df5034f8124b17|SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a|SHA1=cc65bf60600b64feece5575f21ab89e03a728332|SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166|SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a|SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3|SHA1=c42178977bd7bbefe084da0129ed808cb7266204|SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333|SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee|SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837|SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf|SHA1=7638c048af5beae44352764390deea597cc3e7b1|SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5|SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2|SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87|SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e|SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d|SHA1=505546d82aab56889a923004654b9afdec54efe6|SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a|SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383|SHA1=844d7bcd1a928d340255ff42971cca6244a459bf|SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f|SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684|SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e|SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84|SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285|SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6|SHA1=607387cc90b93d58d6c9a432340261fde846b1d9|SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07|SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6|SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6|SHA1=b8b123a413b7bccfa8433deba4f88669c969b543|SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509|SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22|SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d|SHA1=a111dc6ae5575977feba71ee69b790e056846a02|SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3|SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2|SHA1=0de86ec7d7f16a3680df89256548301eed970393|SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2|SHA1=0883a9c54e8442a551994989db6fc694f1086d41|SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16|SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10|SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09|SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c|SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39|SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c|SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f|SHA1=994dc79255aeb662a672a1814280de73d405617a|SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1|SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5|SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b|SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61|SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9|SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7|SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b|SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd|SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2|SHA1=17fa047c1f979b180644906fe9265f21af5b0509|SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3|SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a|SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048|SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f|SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b|SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527|SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130|SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d|SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1|SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a|SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08|SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec|SHA1=73bac306292b4e9107147db94d0d836fdb071e33|SHA1=9382981b05b1fb950245313992444bfa0db5f881|SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3|SHA1=9c36600c2640007d3410dea8017573a113374873|SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb|SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7|SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab|SHA1=cb25a5125fb353496b59b910263209f273f3552d|SHA1=a5f1b56615bdaabf803219613f43671233f2001c|SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38|SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7|SHA1=632c80a3c95cf589b03812539dea59594eaefae0|SHA1=e6966e360038be3b9d8c9b2582eba4e263796084|SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab|SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51|SHA1=80e4808a7fe752cac444676dbbee174367fa2083|SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0|SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2|SHA1=3825ebb0b0664b5f0789371240f65231693be37d|SHA1=de9469a5d01fb84afd41d176f363a66e410d46da|SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b|SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff|SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5|SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358|SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405|SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8|SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2|SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed|SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe|SHA1=9481cd590c69544c197b4ee055056302978a7191|SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da|SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b|SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5|SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4|SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25|SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc|SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457|SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d|SHA1=f6793243ad20359d8be40d3accac168a15a327fb|SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1|SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8|SHA1=10115219e3595b93204c70eec6db3e68a93f3144|SHA1=161bae224cf184ed6c09c77fae866d42412c6d25|SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82|SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d|SHA1=745335bcdf02fb42df7d890a24858e16094f48fd|SHA1=2a202830db58d5e942e4f6609228b14095ed2cab|SHA1=0167259abd9231c29bec32e6106ca93a13999f90|SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167|SHA1=613a9df389ad612a5187632d679da11d60f6046a|SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514|SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86|SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d|SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb|SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812|SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528|SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3|SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d|SHA1=552730553a1dea0290710465fb8189bdd0eaad42|SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35|SHA1=07f282db28771838d0e75d6618f70d76acfe6082|SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e|SHA1=22c9da04847c26188226c3a345e2126ef00aa19e|SHA1=43501832ce50ccaba2706be852813d51de5a900f|SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542|SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde|SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc|SHA1=928b5971a0f7525209d599e2ef15c31717047022|SHA1=b5696e2183d9387776820ef3afa388200f08f5a6|SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2|SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3|SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774|SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945|SHA1=064de88dbbea67c149e779aac05228e5405985c7|SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7|SHA1=98130128685c8640a8a8391cb4718e98dd8fe542|SHA1=a5914161f8a885702427cf75443fb08d28d904f0|SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad|SHA1=fff4f28287677caabc60c8ab36786c370226588d|SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5|SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2|SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda|SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4|SHA1=87e20486e804bfff393cc9ad9659858e130402a2|SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c|SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9|SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a|SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0|SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b|SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6|SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b|SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c|SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a|SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed|SHA1=76568d987f8603339b8d1958f76de2b957811f66|SHA1=e841c8494b715b27b33be6f800ca290628507aba|SHA1=b555aad38df7605985462f3899572931ee126259|SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1|SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327|SHA1=bb6ef5518df35d9508673d5011138add8c30fc27|SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b|SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307|SHA1=34b677fba9dcab9a9016332b3332ce57f5796860|SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d|SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e|SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2|SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72|SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5|SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a|SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef|SHA1=18693de1487c55e374b46a7728b5bf43300d4f69|SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98|SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c|SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5|SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8|SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c|SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196|SHA1=e42bd2f585c00a1d6557df405246081f89542d15|SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9|SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd|SHA1=948368fe309652e8d88088d23e1df39e9c2b6649|SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d|SHA1=1f25f54e9b289f76604e81e98483309612c5a471|SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d|SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d|SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09|SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f|SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652|SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad|SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c|SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a|SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b|SHA1=d02403f85be6f243054395a873b41ef8a17ea279|SHA1=4da007dd298723f920e194501bb49bab769dfb14|SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a|SHA1=221717a48ee8e2d19470579c987674f661869e17|SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa|SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56|SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375|SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3|SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe|SHA1=6d09d826581baa1817be6fbd44426db9b05f1909|SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e|SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631|SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997|SHA1=0320534df24a37a245a0b09679a5adb27018fb5f|SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0|SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef|SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202|SHA1=062457182ab08594c631a3f897aeb03c6097eb77|SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25|SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670|SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e|SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5|SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b|SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739|SHA1=020580278d74d0fe741b0f786d8dca7554359997|SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677|SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4|SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7|SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d|SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f|SHA1=c257aa4094539719a3c7b7950598ef872dbf9518|SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49|SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e|SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c|SHA1=86f34eaea117f629297218a4d196b5729e72d7b9|SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0|SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7|SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8|SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb|SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a|SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb|SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d|SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2|SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a|SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212|SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b|SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac|SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1|SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76|SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421|SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316|SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47|SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03|SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c|SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553|SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87|SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330|SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852|SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304|SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931|SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d|SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c|SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736|SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830|SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104|SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a|SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a|SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a|SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0|SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392|SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd|SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee|SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01|SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254|SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231|SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39|SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d|SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1|SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae|SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4|SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50|SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9|SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212|SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25|SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09|SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1|SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99|SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae|SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475|SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2|SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c|SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb|SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db|SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2|SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c|SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b|SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c|SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217|SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597|SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37|SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4|SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376|SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a|SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e|SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a|SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25|SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be|SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7|SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a|SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c|SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987|SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f|SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad|SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e|SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5|SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b|SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa|SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972|SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a|SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46|SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f|SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4|SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8|SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6|SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21|SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894|SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd|SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62|SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e|SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff|SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b|SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870|SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640|SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530|SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd|SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550|SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9|SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b|SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c|SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988|SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875|SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263|SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4|SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280|SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9|SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12|SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe|SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b|SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f|SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a|SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719|SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908|SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de|SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc|SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a|SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427|SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653|SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919|SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad|SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920|SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77|SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e|SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105|SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2|SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa|SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112|SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4|SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff|SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3|SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925|SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6|SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878|SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59|SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66|SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280|SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7|SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167|SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a|SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7|SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec|SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620|SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f|SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905|SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3|SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b|SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab|SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc|SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968|SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28|SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0|SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93|SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12|SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8|SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895|SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3|SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f|SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be|SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8|SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f|SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe|SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4|SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5|SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af|SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40|SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6|SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d|SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a|SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96|SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497|SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2|SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce|SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96|SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576|SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80|SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266|SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724|SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee|SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b|SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f|SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e|SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1|SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952|SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da|SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e|SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463|SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7|SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0|SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1|SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9|SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a|SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85|SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac|SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873|SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7|SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38|SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c|SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c|SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524|SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51|SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df|SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601|SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7|SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3|SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19|SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55|SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe|SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85|SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1|SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06|SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c|SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3|SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55|SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778|SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6|SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6|SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43|SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3|SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7|SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715|SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434|SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0|SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f|SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327|SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d|SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021|SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4|SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15|SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f|SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2|SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677|SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d|SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d|SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f|SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57|SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc|SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c|SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35|SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440|IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7|IMPHASH=7641a0c227f0a3a45b80bb8af43cd152|IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c|IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d|IMPHASH=beceab354c66949088c9e5ed1f1ff2a4|IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626|IMPHASH=420625b024fba72a24025defdf95b303|IMPHASH=65ccc2c578a984c31880b6c5e65257d3|IMPHASH=e717abe060bc5c34925fe3120ac22f45|IMPHASH=41113a3a832353963112b94f4635a383|IMPHASH=3866dd9fe63de457bdbf893bf7050ddf|IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4|IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca|IMPHASH=c9a6e83d931286d1604d1add8403e1e5|IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372|IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f|IMPHASH=8e35c9460537092672b3c7c14bccc7e0|IMPHASH=7bf14377888c429897eb10a85f70266c|IMPHASH=b351627263648b1d220bb488e7ec7202|IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a|IMPHASH=a7bd820fa5b895fab06f20739c9f24b8|IMPHASH=be0dd8b8e045356d600ee55a64d9d197|IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8|IMPHASH=6c8d5c79a850eecc2fb0291cebda618d|IMPHASH=c32d9a9af7f702814e1368c689877f3a|IMPHASH=6b387c029257f024a43a73f38afb2629|IMPHASH=df43355c636583e56e92142dcc69cc58|IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd|IMPHASH=c214aac08575c139e48d04f5aee21585|IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7|IMPHASH=059c6bd84285f4960e767f032b33f19b|IMPHASH=a09170ef09c55cdca9472c02cb1f2647|IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a|IMPHASH=0262d4147f21d681f8519ab2af79283f|IMPHASH=832219eb71b8bdb771f1d29d27b0acf4|IMPHASH=514298d18002920ee5a917fc34426417|IMPHASH=26ceec6572c630bdad60c984e51b7da4|IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90|IMPHASH=4b47f6031c558106eee17655f8f8a32f|IMPHASH=a6c4a7369500900fc172f9557cff22cf|IMPHASH=3b49942ec6cef1898e97f741b2b5df8a|IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511|IMPHASH=27f6dc8a247a22308dd1beba5086b302|IMPHASH=7d017945bf90936a6c40f73f91ed02c2|IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97|IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e|IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9|IMPHASH=87fd2b54ed568e2294300e164b8c46f7|IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a|IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff|IMPHASH=2a008187d4a73284ddcc43f1b727b513|IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127|IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4|IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4|IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771</field>
    </rule>
    <rule id="900419" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Malicious Driver Load By Name</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wfshbr64\.sys|\\+ktmutil7odm\.sys|\\+ktes\.sys|\\+a26363e7b02b13f2b8d697abb90cd5c3\.sys|\\+kt2\.sys|\\+4748696211bd56c2d93c21cab91e82a5\.sys|\\+malicious\.sys|\\+a236e7d654cd932b7d11cb604629a2d0\.sys|\\+spwizimgvt\.sys|\\+c94f405c5929cfcccc8ad00b42c95083\.sys|\\+fur\.sys|\\+wantd\.sys|\\+windbg\.sys|\\+4118b86e490aed091b1a219dba45f332\.sys|\\+gmer64\.sys|\\+1fc7aeeff3ab19004d2e53eae8160ab1\.sys|\\+poortry2\.sys|\\+wintapix\.sys|\\+daxin_blank6\.sys|\\+6771b13a53b9c7449d4891e427735ea2\.sys|\\+blacklotus_driver\.sys|\\+air_system10\.sys|\\+dkrtk\.sys|\\+7\.sys|\\+sense5ext\.sys|\\+ktgn\.sys|\\+ndislan\.sys|\\+nlslexicons0024uvn\.sys|\\+be6318413160e589080df02bb3ca6e6a\.sys|\\+4\.sys|\\+wantd_2\.sys|\\+e29f6311ae87542b3d693c1f38e4e3ad\.sys|\\+daxin_blank3\.sys|\\+gftkyj64\.sys|\\+daxin_blank2\.sys|\\+wantd_4\.sys|\\+reddriver\.sys|\\+834761775\.sys|\\+mlgbbiicaihflrnh\.sys|\\+mjj0ge\.sys|\\+daxin_blank\.sys|\\+daxin_blank5\.sys|\\+poortry1\.sys|\\+msqpq\.sys|\\+mimidrv\.sys|\\+e939448b28a4edc81f1f974cebf6e7d2\.sys|\\+prokiller64\.sys|\\+nodedriver\.sys|\\+wantd_3\.sys|\\+lctka\.sys|\\+kapchelper_x64\.sys|\\+daxin_blank4\.sys|\\+a9df5964635ef8bd567ae487c3d214c4\.sys|\\+wantd_6\.sys|\\+ntbios\.sys|\\+wantd_5\.sys|\\+pciecubed\.sys|\\+mimikatz\.sys|\\+nqrmq\.sys|\\+2\.sys|\\+poortry\.sys|\\+ntbios_2\.sys|\\+fgme\.sys|\\+telephonuafy\.sys|\\+typelibde\.sys|\\+daxin_blank1\.sys|\\+ef0e1725aaf0c6c972593f860531a2ea\.sys|\\+5a4fe297c7d42539303137b6d75b150d\.sys)$</field>
    </rule>
    <rule id="900420" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>cve.2021.21551</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+kprocesshacker\.sys)$</field>
    </rule>
    <rule id="900421" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>cve.2021.21551</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=821D74031D3F625BCBD0DF08B70F1E77|IMPHASH=F86759BB4DE4320918615DC06E998A39|IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18|IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0</field>
    </rule>
    <rule id="900422" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>cve.2021.21551</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)821D74031D3F625BCBD0DF08B70F1E77|F86759BB4DE4320918615DC06E998A39|0A64EEB85419257D0CE32BD5D55C3A18|6E7B34DFC017700B1517B230DF6FF0D0</field>
    </rule>
    <rule id="900423" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+SystemInformer\.sys)$</field>
    </rule>
    <rule id="900424" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24|SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454|SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D|SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B|SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D|SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34|SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89|SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB|SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B|SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97|SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656|SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4|SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138</field>
    </rule>
    <rule id="900425" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24|a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454|38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d|a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b|4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d|3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34|047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89|18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb|b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b|640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97|251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656|e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4|3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138</field>
    </rule>
    <rule id="900426" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_susp_temp_use.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Driver Load From A Temporary Directory</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Temp\\+</field>
    </rule>
    <rule id="900427" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=c996d7971c49252c582171d9380360f2|MD5=da7e98b23b49b7293ee06713032c74f6|MD5=9496585198d726000ea505abc39dbfe9|MD5=649ff59b8e571c1fc6535b31662407aa|MD5=4429f85e2415742c7cf8c9f54905c4b9|MD5=a610cd4c762b5af8575285dafb9baa8f|MD5=d5e76d125d624f8025d534f49e3c4162|MD5=9c8fffef24fc480917236f9a20b80a47|MD5=65b979bcab915c3922578fe77953d789|MD5=598f8fb2317350e5f90b7bd16baf5738|MD5=6691e873354f1914692df104718eebad|MD5=4814205270caa80d35569eee8081838e|MD5=7f9128654c3def08c28e0e13efff0fee|MD5=ce952204558ea66ec1a9632dcbdde8bd|MD5=0c0195c48b6b8582fa6f6373032118da|MD5=370a4ca29a7cf1d6bc0744afc12b236c|MD5=67e03f83c503c3f11843942df32efe5a|MD5=8a70921638ff82bb924456deadcd20e6|MD5=8a212a246b3c41f3ddce5888aaaaacd6|MD5=a346417e9ae2c17a8fbf73302eeb611d|MD5=d4f7c14e92b36c341c41ae93159407dd|MD5=748cf64b95ca83abc35762ad2c25458f|MD5=79ab228766c76cfdf42a64722821711e|MD5=ce67e51b8c0370d1bfe421b79fa8b656|MD5=25190f667f31318dd9a2e36383d5709f|MD5=1f263a57c5ef46c8577744ecb32c9548|MD5=c6cfa2d6e4c443e673c2c12417ea3001|MD5=cceb3a7e3bd0203c807168b393a65a74|MD5=56b54823a79a53747cbe11f8c4db7b1e|MD5=988dabdcf990b134b0ac1e00512c30c4|MD5=09e77d71d626574e6142894caca6e6dd|MD5=c832a4313ff082258240b61b88efa025|MD5=44499d3cab387aa78a4a6eca2ac181fb|MD5=6ff59faea912903af0ba8e80e58612bc|MD5=7461f0f9b931044a9d5f1d44eb4e8e09|MD5=08bac71557df8a9b1381c8c165f64520|MD5=fea9319d67177ed6f36438d2bd9392fb|MD5=6dd82d91f981893be57ff90101a7f7f1|MD5=d4119a5cb07ce945c6549eae74e39731|MD5=cf1113723e3c1c71af80d228f040c198|MD5=0e625b7a7c3f75524e307b160f8db337|MD5=6e1faeee0ebfcb384208772410fe1e86|MD5=58a92520dda53166e322118ee0503364|MD5=916ba55fc004b85939ee0cc86a5191c5|MD5=f16b44cca74d3c3645e4c0a6bb5c0cb9|MD5=db2fc89098ac722dabe3c37ed23de340|MD5=6f5cf7feb9bb8108b68f169b8e625ffe|MD5=d2588631d8aae2a3e54410eaf54f0679|MD5=72acbdd8fac58b71b301980eab3ebfc8|MD5=9cc757a18b86408efc1ce3ed20cbcdac|MD5=230fd3749904ca045ea5ec0aa14006e9|MD5=79329e2917623181888605bc5b302711|MD5=3e4a1384a27013ab7b767a88b8a1bd34|MD5=bafd6bad121e42f940a0b8abc587eadf|MD5=02a1d77ef13bd41cad04abcce896d0b9|MD5=de331f863627dc489f547725d7292bbd|MD5=29122f970a9e766ef01a73e0616d68b3|MD5=2b8814cff6351c2b775387770053bdec|MD5=332db70d2c5c332768ab063ba6ac8433|MD5=40f39a98fb513411dacdfc5b2d972206|MD5=644d687c9f96c82ea2974ccacd8cd549|MD5=825703c494e0d270f797f1ecf070f698|MD5=afae2a21e36158f5cf4f76f896649c75|MD5=dd050e79c515e4a6d1ae36cac5545025|MD5=6133e1008f8c6fc32d4b1a60941bab85|MD5=0e2fc7e7f85c980eb698b9e468c20366|MD5=94c80490b02cc655d2d80597c3aef08f|MD5=4d487f77be4471900d6ccbc47242cc25|MD5=2e3dbb01b282a526bdc3031e0663c41c|MD5=93a23503e26773c27ed1da06bb79e7a4|MD5=ffd0c87d9bf894af26823fbde94c71b6|MD5=a86150f2e29b35369afa2cafd7aa9764|MD5=6126065af2fc2639473d12ee3c0c198e|MD5=c1d3a6bb423739a5e781f7eee04c9cfd|MD5=f0db5af13c457a299a64cf524c64b042|MD5=e5e8ecb20bc5630414707295327d755e|MD5=659a59d7e26b7730361244e12201378e|MD5=8f47af49c330c9fcf3451ad2252b9e04|MD5=dd9596c18818288845423c68f3f39800|MD5=a7d3ebfb3843ee28d9ca18b496bd0eb2|MD5=20125794b807116617d43f02b616e092|MD5=46cae59443ae41f4dbb42e050a9b501a|MD5=21e13f2cb269defeae5e1d09887d47bb|MD5=5bab40019419a2713298a5c9173e5d30|MD5=7314c2bc19c6608d511ef36e17a12c98|MD5=24061b0958874c1cb2a5a8e9d25482d4|MD5=31a4631d77b2357ac9618e2a60021f11|MD5=130c5aec46bdec8d534df7222d160fdb|MD5=592065b29131af32aa18a9e546be9617|MD5=2d64d681d79e0d26650928259530c075|MD5=1ce19950e23c975f677b80ff59d04fae|MD5=318e309e11199ec69d8928c46a4d901b|MD5=d78a29306f42d42cd48ad6bc6c6a7602|MD5=6a094d8e4b00dd1d93eb494099e98478|MD5=0be80db5d9368fdb29fe9d9bfdd02e7c|MD5=ba23266992ad964eff6d358d946b76bd|MD5=560069dc51d3cc7f9cf1f4e940f93cae|MD5=a785b3bc4309d2eb111911c1b55e793f|MD5=ac591a3b4df82a589edbb236263ec70a|MD5=a664904f69756834049e9e272abb6fea|MD5=19f32bf24b725f103f49dc3fa2f4f0bd|MD5=2509a71a02296aa65a3428ddfac22180|MD5=9988fc825675d4d3e2298537fc78e303|MD5=dab9142dc12480bb39f25c9911df6c6c|MD5=2c47725db0c5eb5c2ecc32ff208bceb6|MD5=bdfe1f0346c066971e1f3d96f7fdaa2c|MD5=7644bed8b74dc294ac77bf406df8ad77|MD5=9ade14e58996a6abbfe2409d6cddba6a|MD5=5212e0957468d3f94d90fa7a0f06b58f|MD5=96e10a2904fff9491762a4fb549ad580|MD5=0c55128c301921ce71991a6d546756ad|MD5=97e90c869b5b0f493b833710931c39ed|MD5=f36b8094c2fbf57f99870bfaeeacb25c|MD5=b3d6378185356326fd8ee4329b0b7698|MD5=9321a61a25c7961d9f36852ecaa86f55|MD5=f758e7d53184faab5bc51f751937fa36|MD5=1f7b2a00fe0c55d17d1b04c5e0507970|MD5=239224202ccdea1f09813a70be8413ee|MD5=996ded363410dfd38af50c76bd5b4fbc|MD5=0fc2653b1c45f08ca0abd1eb7772e3c0|MD5=79b8119b012352d255961e76605567d6|MD5=2e1f8a2a80221deb93496a861693c565|MD5=697bbd86ee1d386ae1e99759b1e38919|MD5=ddc2ffe0ab3fcd48db898ab13c38d88d|MD5=2971d4ee95f640d2818e38d8877c8984|MD5=962a33a191dbe56915fd196e3a868cf0|MD5=7575b35fee4ec8dbd0a61dbca3b972e3|MD5=2d7f1c02b94d6f0f3e10107e5ea8e141|MD5=057ec65bac5e786affeb97c0a0d1db15|MD5=483abeee17e4e30a760ec8c0d6d31d6d|MD5=f23b2adcfab58e33872e5c2d0041ad88|MD5=2601cf769ad6ffee727997679693f774|MD5=b4598c05d5440250633e25933fff42b0|MD5=2e5f016ff9378be41fe98fa62f99b12d|MD5=75d6c3469347de1cdfa3b1b9f1544208|MD5=828bb9cb1dd449cd65a29b18ec46055f|MD5=1bd38ac06ef8709ad23af666622609c9|MD5=e747f164fc89566f934f9ec5627cd8c3|MD5=a01c412699b6f21645b2885c2bae4454|MD5=a216803d691d92acc44ac77d981aa767|MD5=112b4a6d8c205c1287c66ad0009c3226|MD5=68dde686d6999ad2e5d182b20403240b|MD5=2d854c6772f0daa8d1fde4168d26c36b|MD5=9a9dbf5107848c254381be67a4c1b1dd|MD5=3ecd3ca61ffc54b0d93f8b19161b83da|MD5=1ad400766530669d14a077514599e7f3|MD5=4f27c09cc8680e06b04d6a9c34ca1e08|MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d|MD5=043d5a1fc66662a3f91b8a9c027f9be9|MD5=a0e2223868b6133c5712ba5ed20c3e8a|MD5=2b3e0db4f00d4b3d0b4d178234b02e72|MD5=1610342659cb8eb4a0361dbc047a2221|MD5=c842827d4704a5ef53a809463254e1cc|MD5=bf2a954160cb155df0df433929e9102b|MD5=81b72492d45982cd7a4a138676329fd6|MD5=2a2867e1f323320fdeef40c1da578a9a|MD5=b3f132ce34207b7be899f4978276b66d|MD5=3247014ba35d406475311a2eab0c4657|MD5=88d5fc86f0dd3a8b42463f8d5503a570|MD5=0be5c6476dd58072c93af4fca62ee4b3|MD5=3cf7a55ec897cc938aebb8161cb8e74f|MD5=931d4f01b5a88027ef86437f1b862000|MD5=d253c19194a18030296ae62a10821640|MD5=c5f5d109f11aadebae94c77b27cb026f|MD5=15dd3ef7df34f9b464e9b38c2deb0793|MD5=e913a51f66e380837ffe8da6707d4cc4|MD5=c552dae8eaadd708a38704e8d62cf64d|MD5=1f8a9619ab644728ce4cf86f3ad879ea|MD5=f7edd110de10f9a50c2922f1450819aa|MD5=be17a598e0f5314748ade0871ad343e7|MD5=aa1ed3917928f04d97d8a217fe9b5cb1|MD5=880686bceaf66bfde3c80569eb1ebfa7|MD5=bc1eeb4993a601e6f7776233028ac095|MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3|MD5=3a1ba5cd653a9ddce30c58e7c8ae28ae|MD5=5054083cf29649a76c94658ba7ff5bce|MD5=dedd07993780d973c22c93e77ab69fa3|MD5=3aacaa62758fa6d178043d78ba89bebc|MD5=f1a203406a680cc7e4017844b129dcbf|MD5=2399e6f7f868d05623be03a616b4811e|MD5=0d5774527af6e30905317839686b449d|MD5=5bbe4e52bd33f1cdd4cf38c7c65f80ae|MD5=047c06d4d38ea443c9af23a501c4480d|MD5=a72e10ecea2fdeb8b9d4f45d0294086b|MD5=c9c25778efe890baa4087e32937016a0|MD5=0ba6afe0ea182236f98365bd977adfdf|MD5=e626956c883c7ff3aeb0414570135a58|MD5=3e796eb95aca7e620d6a0c2118d6871b|MD5=f3f5c518bc3715492cb0b7c59e94c357|MD5=4e92f1c677e08fd09b57032c5b47ca46|MD5=f22740ba54a400fd2be7690bb204aa08|MD5=3467b0d996251dc56a72fc51a536dd6b|MD5=198b723e13a270bb664dcb9fb6ed42e6|MD5=bdc3b6b83dde7111d5d6b9a2aadf233f|MD5=3651a6990fe38711ebb285143f867a43|MD5=7db75077d53a63531ef2742d98ca6acc|MD5=55c36d43dd930069148008902f431ea5|MD5=f026460a7a720d0b8394f28a1f9203dc|MD5=cb22776d06f1e81cc87faeb0245acde8|MD5=b994110f069d197222508a724d8afdac|MD5=e6eaee1b3e41f404c289e22df66ef66b|MD5=29872c7376c42e2a64fa838dad98aa11|MD5=d21fba3d09e5b060bd08796916166218|MD5=880611326b768c4922e9da8a8effc582|MD5=9c3c250646e11052b1e38500ee0e467b|MD5=178cc9403816c082d22a1d47fa1f9c85|MD5=2c1045bb133b7c9f5115e7f2b20c267a|MD5=707ab1170389eba44ffd4cfad01b5969|MD5=ddf2655068467d981242ea96e3b88614|MD5=7907e14f9bcf3a4689c9a74a1a873cb6|MD5=b3424a229d845a88340045c29327c529|MD5=0b0447072ada1636a14087574a512c82|MD5=0be4a11bc261f3cd8b4dbfebee88c209|MD5=7dd538bcaa98d6c063ead8606066333f|MD5=8a108158431e9a7d08e330fd7a46d175|MD5=e6ea0e8d2edcc6cad3c414a889d17ac4|MD5=288471f132c7249f598032d03575f083|MD5=11fb599312cb1cf43ca5e879ed6fb71e|MD5=2348508499406dec3b508f349949cb51|MD5=fe820a5f99b092c3660762c6fc6c64e0|MD5=c508d28487121828c3a1c2b57acb05be|MD5=91755cc5c3ccf97313dc2bece813b4d9|MD5=2f8653034a35526df88ea0c62b035a42|MD5=3dbf69f935ea48571ea6b0f5a2878896|MD5=7e3a6f880486a4782b896e6dbd9cc26f|MD5=2850608430dd089f24386f3336c84729|MD5=a711e6ab17802fabf2e69e0cd57c54cd|MD5=2eec12c17d6b8deeeac485f47131d150|MD5=e7ab83a655b0cd934a19d94ac81e4eec|MD5=a91a1bc393971a662a3210dac8c17dfd|MD5=2fed983ec44d1e7cffb0d516407746f2|MD5=18439fe2aaeddfd355ef88091cb6c15f|MD5=592756f68ab8ae590662b0c4212a3bb9|MD5=d63c9c1a427a134461258b7b8742858f|MD5=6e25148bb384469f3d5386dc5217548a|MD5=700d6a0331befd4ed9cfbb3234b335e7|MD5=e68972cd9f28f0be0f9df7207aba9d1d|MD5=b2a9ac0600b12ec9819e049d7a6a0b75|MD5=c796a92a66ec725b7b7febbdc13dc69b|MD5=5b6c21e8366220f7511e6904ffeeced9|MD5=8741e6df191c805028b92cec44b1ba88|MD5=b47dee29b5e6e1939567a926c7a3e6a4|MD5=dff6c75c9754a6be61a47a273364cdf7|MD5=d86269ba823c9ecf49a145540cd0b3df|MD5=3c55092900343d3d28564e2d34e7be2c|MD5=fef9dd9ea587f8886ade43c1befbdafe|MD5=96c5900331bd17344f338d006888bae5|MD5=7e7e3f5532b6af24dcc252ac4b240311|MD5=c6f8983dd3d75640c072a8459b8fa55a|MD5=1caf5070493459ba029d988dbb2c7422|MD5=2b653950483196f0d175ba6bc35f1125|MD5=15814b675e9d08953f2c64e4e5ccb4f4|MD5=de4001f89ed139d1ed6ae5586d48997a|MD5=dc943bf367ae77016ae399df8e71d38a|MD5=524cd77f4c100cf20af4004f740b0268|MD5=e5f8fcdfb52155ed4dffd8a205b3d091|MD5=925ee3f3227c3b63e141ba16bd83f024|MD5=fbf729350ca08a7673b115ce9c9eb7e5|MD5=eb0a8eeb444033ebf9b4b304f114f2c8|MD5=c7a57cd4bea07dadba2e2fb914379910|MD5=384370c812acb7181f972d57dc77c324|MD5=d43dcba796b40234267ad2862fa52600|MD5=b0954711c133d284a171dd560c8f492a|MD5=262969a3fab32b9e17e63e2d17a57744|MD5=05a6f843c43d75fbce8e885bb8656aa4|MD5=992ded5b623be3c228f32edb4ca3f2d2|MD5=13a0d3f9d5f39adaca0a8d3bb327eb31|MD5=f5051c756035ef5de9c4c48bacb0612b|MD5=1276f735d22cf04676a719edc6b0df18|MD5=d4a299c595d35264b5cfd12490a138dc|MD5=f4e1997192d5a95a38965c9e15c687fc|MD5=05369fa594a033e48b7921018b3263fb|MD5=ed07f1a8038596574184e09211dfc30f|MD5=e1ebc6c5257a277115a7e61ee3e5e42f|MD5=821adf5ba68fd8cc7f4f1bc915fe47de|MD5=b12d1630fd50b2a21fd91e45d522ba3a|MD5=729dd4df669dc96e74f4180c6ee2a64b|MD5=c6b5a3ae07b165a6e5fff7e31ff91016|MD5=e36f6f7401ae11e11f69d744703914db|MD5=9ba7c30177d2897bb3f7b3dc2f95ae0a|MD5=b5326548762bfaae7a42d5b0898dfeac|MD5=f2f728d2f69765f5dfda913d407783d2|MD5=637cf50b06bc53deae846b252d56bbdc|MD5=c37b575c3a96b9788c26cefcf43f3542|MD5=e4266262a77fffdea2584283f6c4f51d|MD5=054299e09cea38df2b84e6b29348b418|MD5=4cc3ddd5ae268d9a154a426af2c23ef9|MD5=d717f8de642b65f029829c34fbd13a45|MD5=e79c91c27df3eaf82fb7bd1280172517|MD5=fd7de498a72b2daf89f321d23948c3c4|MD5=6682176866d6bd6b4ea3c8e398bd3aae|MD5=eb525d99a31eb4fff09814e83593a494|MD5=e323413de3caec7f7730b43c551f26a0|MD5=353e5d424668d785f13c904fde3bac84|MD5=3b9698a9ee85f0b4edf150deef790ccd|MD5=3f8cdaf7413000d34d6a1a1d5341a11b|MD5=dcd966874b4c8c952662d2d16ddb4d7c|MD5=3fda3d414c31ad73efd8ccceeaa3bdc2|MD5=ca6931fcbc1492d7283aa9dc0149032e|MD5=084bd27e151fef55b5d80025c3114d35|MD5=7c887f2b1a56b84d86828529604957db|MD5=c24800c382b38707e556af957e9e94fd|MD5=f84da507b3067f019c340b737cd68d32|MD5=d3026938514218766cb6d3b36ccfa322|MD5=6917ef5d483ed30be14f8085eaef521b|MD5=945ef111161bae49075107e5bc11a23f|MD5=44a3b9cc0a8e89c11544932b295ea113|MD5=6cc3c3be2de12310a35a6ab2aed141d6|MD5=085d3423f3c12a17119920f1a293ab4d|MD5=547971da89a47b6ad6459cd7d7854e12|MD5=aa5dd4beca6f67733e04d9d050ecd523|MD5=903c149851e9929ec45daefc544fcd99|MD5=ba5f0f6347780c2ed911bbf888e75bef|MD5=1873a2ce2df273d409c47094bc269285|MD5=97e3a44ec4ae58c8cc38eefc613e950e|MD5=1cb26adeca26aefb5a61065e990402da|MD5=17fe96af33f1fe475957689aeb5f816e|MD5=c5b8e612360277ac70aa328432a99fd6|MD5=62f8d7f884366df6100c7e892e3d70bf|MD5=a5deee418b7b580ca89db8a871dc1645|MD5=5f44a01ccc530b34051b9d0ccb5bb842|MD5=25ede0fd525a30d31998ea62876961ec|MD5=1c61eb82f1269d8d6be8de2411133811|MD5=338a98e1c27bc76f09331fcd7ae413a5|MD5=f66b96aa7ae430b56289409241645099|MD5=8ea94766cd7890483449dc193d267993|MD5=75fa19142531cbf490770c2988a7db64|MD5=ee3b74cdfed959782dff84153e3d5a6e|MD5=fdf975524d4cdb4f127d79aac571ae9e|MD5=688a10e87af9bcf0e40277d927923a00|MD5=62792c30836ae7861c3ca2409cd35c02|MD5=b62e2371158a082e239f5883bd6000d1|MD5=1f01257d9730f805b2a1d69099ef891d|MD5=b934322c68c30dceca96c0274a51f7b0|MD5=76355d5eafdfa3e9b7580b9153de1f30|MD5=9fdcd543574a712a80d62da8bfd8331c|MD5=1440c0da81c700bd61142bc569477d81|MD5=4c76554d9a72653c6156ca0024d21a8e|MD5=148bd10da8c8d64928a213c7bf1f2fca|MD5=95e4c7b0384da89dce8ea6f31c3613d9|MD5=e6cb1728c50bd020e531d19a14904e1c|MD5=62f02339fe267dc7438f603bfb5431a1|MD5=0a4e6bd5cc2e9172e461408be47c3149|MD5=28cb0b64134ad62c2acf77db8501a619|MD5=4ecfb46fcdce95623f994bd29bbe59cb|MD5=7ee0c884e7d282958c5b3a9e47f23e13|MD5=dbc415304403be25ac83047c170b0ec2|MD5=0c7f66cd219817eaab41f36d4bc0d4cd|MD5=3c9c537167923723429c86ab38743e7d|MD5=a57b47489febc552515778dd0fd1e51c|MD5=680dcb5c39c1ec40ac3897bb3e9f27b9|MD5=5f9785e7535f8f602cb294a54962c9e7|MD5=e4ea7ebfa142d20a92fbe468a77eafa6|MD5=32365e3e64d28cc94756ac9a09b67f06|MD5=be9eeea2a8cac5f6cd92c97f234e2fe1|MD5=5bd30b502168013c9ea03a5c2f1c9776|MD5=ba21bfa3d05661ba216873a9ef66a6e2|MD5=dad8f40626ed4702e0e8502562d93d7c|MD5=8fbb1ffc6f13f9d5ee8480b36baffc52|MD5=bedc99bbcedaf89e2ee1aa574c5a2fa4|MD5=9dd414590e695ea208139c23db8a5aa3|MD5=270052c61f4de95ebfbf3a49fb39235f|MD5=19c0c18384d6a6d65462be891692df9c|MD5=a26e600652c33dd054731b4693bf5b01|MD5=8b779fe1d71839ad361226f66f1b3fe5|MD5=8ad9dfc971df71cd43788ade6acf8e7d|MD5=2dbc09c853c4bf2e058d29aaa21fa803|MD5=13ee349c15ee5d6cf640b3d0111ffc0e|MD5=fef60a37301e1f5a3020fa3487fb2cd7|MD5=4353b713487a2945b823423bbbf709bd|MD5=875c44411674b75feb07592aeffa09c1|MD5=b971b79bdca77e8755e615909a1c7a9f|MD5=ad03f225247b58a57584b40a4d1746d3|MD5=2229d5a9a92b62df4df9cf51f48436f7|MD5=5bb840db439eb281927588dbce5f5418|MD5=fd80c3d38669b302de4b4b736941c0d1|MD5=d1440503d1528c55fdc569678a663667|MD5=d1e57c74bafa56e8e2641290d153f4d2|MD5=c9b046a6961957cc6c93a5192d3e61e3|MD5=ff795e4f387c3e22291083b7d6b92ffb|MD5=782f165b1d2db23f78e82fee0127cc14|MD5=002a58b90a589913a07012253662c98c|MD5=0211ab46b73a2623b86c1cfcb30579ab|MD5=d0a5b98788e480c12afc65ad3e6d4478|MD5=d6cc5709aca6a6b868962a6506d48abc|MD5=08001b0cdb0946433366032827d7a187|MD5=8fc6cafd4e63a3271edf6a1897a892ae|MD5=0e207ef80361b3d047a2358d0e2206b4|MD5=b10b210c5944965d0dc85e70a0b19a42|MD5=006d9d615cdcc105f642ab599b66f94e|MD5=b32497762d916dba6c827e31205b67dd|MD5=f766a9bb7cd46ba8c871484058f908f0|MD5=546db985012d988e4482acfae4a935a8|MD5=700e9902b0a28979724582f116288bad|MD5=0395b4e0eb21693590ad1cfdf7044b8b|MD5=d95c9a241e52b4f967fa4cdb7b99fc80|MD5=ee91da973bebe6442527b3d1abcc3c80|MD5=1a234f4643f5658bab07bfa611282267|MD5=1898ceda3247213c084f43637ef163b3|MD5=1b5c3c458e31bede55145d0644e88d75|MD5=42132c7a755064f94314b01afb80e73c|MD5=1b76363059fef4f7da752eb0dfb0c1e1|MD5=cc8855fe30a9cdef895177a4cf1a3dad|MD5=6d4159694e1754f262e326b52a3b305a|MD5=b7ca4c32c844df9b61634052ae276387|MD5=361a598d8bb92c13b18abb7cac850b01|MD5=27bcbeec8a466178a6057b64bef66512|MD5=f310b453ac562f2c53d30aa6e35506bb|MD5=14add4f16d80595e6e816abf038141e5|MD5=ab53d07f18a9697139ddc825b466f696|MD5=278761b706276f9b49e1e2fd21b9cb07|MD5=60e84516c6ec6dfdae7b422d1f7cab06|MD5=20afd54ca260e2bf6589fac72935fecf|MD5=3ad7b36a584504b3c70b5f552ba33015|MD5=9f3b5de6fe46429bed794813c6ae8421|MD5=7b9717c608a5f5a1c816128a609e9575|MD5=798de15f187c1f013095bbbeb6fb6197|MD5=66066d9852bc65988fb4777f0ff3fbb4|MD5=13dda15ef67eb265869fc371c72d6ef0|MD5=63e333d64a8716e1ae59f914cb686ae8|MD5=3411fdf098aa20193eee5ffa36ba43b2|MD5=ad6d5177656dfc5b43def5d13d32f9f6|MD5=97221e16e7a99a00592ca278c49ffbfc|MD5=010c0e5ac584e3ab97a2daf84cf436f5|MD5=29b1ddc69e89b160cc3722e5e0738fd8|MD5=aad4fb47cb39a9ab4159662a29e1ee88|MD5=4e093256b034925ecd6b29473ff16858|MD5=51c233297c3aa16c4222e35ded1139b6|MD5=9945823e9846724c70d2f8d66a403300|MD5=aa2ef08d48b66bd814280976614468a7|MD5=33fc573c0e8bedfe3614e17219273429|MD5=c08063f052308b6f5882482615387f30|MD5=c8c6fadcb7cb85f197ab77e6a7b67aa9|MD5=3f29f651a3c4ff5ce16d61deccf46618|MD5=08c1bce6627764c9f8c79439555c5636|MD5=1da1cfe6aa15325c9ecf8f8c9b2cd12d|MD5=c1d063c9422a19944cdaa6714623f2ec|MD5=b0809d8adc254c52f9d06362489ce474|MD5=a22626febc924eb219a953f1ee2b9600|MD5=5a615f4641287e5e88968f5455627d45|MD5=de2aac9468158c73880e31509924d7e0|MD5=dd38cc344d2a0da1c03e92eb4b89a193|MD5=c1fce7aac4e9dd7a730997e2979fa1e2|MD5=0634299fc837b47b531e4762d946b2ae|MD5=e4ff4edce076f21f5f8d082a62c9db8b|MD5=43ed1d08c19626688db34f63e55114fb|MD5=6c28461e78f8d908ca9a66bad2e212f7|MD5=8aa9d47ec9a0713c56b6dec3d601d105|MD5=c9390a8f3ca511c1306a039ca5d80997|MD5=c60a4bc4fec820d88113afb1da6e4db3|MD5=6b3abe55c4d39e305a11b4d1091dfaac|MD5=f4a31e08f89e5f002ef3cf7b1224af5f|MD5=d7cf689e6c63d37bc071499f687300dd|MD5=7c0b186d1912686cfcb8cd9cdebabe58|MD5=8cb2ffb8bb0bbf8cd0dd685611854637|MD5=9b359b722ac80c4e0a5235264e1e0156|MD5=09927915aba84c8acd91efdaac674b86|MD5=e4b50e44d1f12a47e18259b41074f126|MD5=0ec361f2fba49c73260af351c39ff9cb|MD5=65ad6a7c43f8d566afd5676f9447b6c1|MD5=ddb7da975d90b2a9c9c58e1af55f0285|MD5=8291dcbcbccc2ce28195d04ac616a1b5|MD5=2da269863ed99be7b6b8ec2adc710648|MD5=2ab9f5a66d75adb01171bb04ab4380f2|MD5=3a7c69293fcd5688cc398691093ec06a|MD5=13a2b915f6d93e52505656773d53096f|MD5=7bd840ff7f15df79a9a71fec7db1243e|MD5=0a6a1c9a7f80a2a5dcced5c4c0473765|MD5=a1547e8b2ca0516d0d9191a55b8536c0|MD5=e04ff937f6fd273b774f23aed5dd8c13|MD5=fac8eb49e2fd541b81fcbdeb98a199cb|MD5=cb31f1b637056a3d374e22865c41e6d9|MD5=c69c292e0b76b25a5fa0e16136770e11|MD5=cebf532d1e3c109418687cb9207516ad|MD5=eeb8e039f6d942538eb4b0252117899a|MD5=4d99d02f49e027332a0a9c31c674e13b|MD5=e9a30edef1105b8a64218f892b2e56ed|MD5=dd04cd3de0c19bede84e9c95a86b3ca8|MD5=70196d88c03f2ea557281b24dad85de5|MD5=708ac9f7b12b6ca4553fd8d0c7299296|MD5=cafbf85b902f189ba35f3d7823aad195|MD5=d48f681f70e19d2fa521df63bc72ab9e|MD5=6ae9d25e02b54367a4e93c2492b8b02e|MD5=f14359ceb3705d77353b244bb795b552|MD5=0d992b69029d1f23a872ff5a3352fb5b|MD5=9993a2a45c745bb0139bf3e8decd626c|MD5=6d67da13cf84f15f6797ed929dd8cf5d|MD5=c2eb4539a4f6ab6edd01bdc191619975|MD5=349fa788a4a7b57e37e426aca9b736d5|MD5=4c016fd76ed5c05e84ca8cab77993961|MD5=ea14899d1bfba397bc731770765768d1|MD5=4ec08e0bcdf3e880e7f5a7d78a73440c|MD5=e65fa439efa9e5ad1d2c9aee40c7238e|MD5=0898af0888d8f7a9544ef56e5e16354e|MD5=10e681ce84afdd642e59ddfdb28284e9|MD5=b5f96dd5cc7d14a9860ab99d161bf171|MD5=37c3a9fef349d13685ec9c2acaaeafce|MD5=027e10a5048b135862d638b9085d1402|MD5=b0baac4d6cbac384a633c71858b35a2e|MD5=d0a5f9ace1f0c459cef714156db1de02|MD5=b34361d151c793415ef92ee5d368c053|MD5=f0fdfdf3303e2f7c141aa3a24d523af1|MD5=d424f369f7e010249619f0ecbe5f3805|MD5=639252292bb40b3f10f8a6842aee3cd4|MD5=7e6e2ed880c7ab115fca68136051f9ce|MD5=f8dce1eb0f9fcaf07f68fe290aa629e4|MD5=fa222bed731713904320723b9c085b11|MD5=aa69b4255e786d968adbd75ba5cf3e93|MD5=06ffbb2cbf5ac9ef95773b4f5c4c896a|MD5=00685003005b0b437af929f0499545e4|MD5=85e606523ce390f7fcd8370d5f4b812a|MD5=23cf3da010497eb2bf39a5c5a57e437c|MD5=dc9be271f403e2278071d6ece408ff28|MD5=6b16512bffe88146a7915f749bd81641|MD5=c2585e2696e21e25c05122e37e75a947|MD5=165178829b5587a628977bfca6fd6900|MD5=24156523b923fd9dcfdd0ac684dcdb20|MD5=750d1f07ea9d10b38a33636036c30cca|MD5=fc90bcc43daa48882be359a17b71abf7|MD5=09672532194b4bff5e0f7a7d782c7bf2|MD5=212bfd1ef00e199a365aeb74a8182609|MD5=e3d290406de40c32095bd76dc88179fb|MD5=715572dfe6fb10b16f980bfa242f3fa5|MD5=c8f88ca47b393da6acf87fa190e81333|MD5=d0c2caa17c7b6d2200e1b5aa9d07135e|MD5=16a8e8437b94d6207af2f25fd4801b6d|MD5=7bdf418a65ec33ec8ff47e7de705a4e1|MD5=31f34de4374a6ed0e70a022a0efa2570|MD5=cfad9185ffcf5850b5810c28b24d5fc8|MD5=6ba221afb17342a3c81245a4958516a2|MD5=f44f6ec546850ceb796a2cb528928a91|MD5=34a7fab63a4ed5a0b61eb204828e08e5|MD5=a92bf3c219a5fa82087b6c31bdf36ff3|MD5=fa0d1fca7c5b44ce3b799389434fcaa5|MD5=affe4764d880e78b2afb2643b15b8d41|MD5=f80ceb0dbb889663f0bee058b109ce0e|MD5=25ebe6f757129adbe78ec312a5f1800b|MD5=7f7b8cde26c4943c9465e412adbb790f|MD5=bfe96411cf67edb3cee2b9894b910cd5|MD5=6e2178dc5f9e37e6b4b6cbdaef1b12b1|MD5=0420fa6704fd0590c5ce7176fdada650|MD5=7ed6030f14e66e743241f2c1fa783e69|MD5=61e8367fb57297a949c9a80c2e0e5a38|MD5=7951fa3096c99295d681acb0742506bf|MD5=bcd60bf152fdec05cd40562b466be252|MD5=376b1e8957227a3639ec1482900d9b97|MD5=7331720a5522d5cd972623326cf87a3f|MD5=8e78ab9b9709bafb11695a0a6eddeff9|MD5=8abbb12e61045984eda19e2dc77b235e|MD5=0199a59af05d9986842ecbdee3884f0c|MD5=729afa54490443da66c2685bd77cb1f0|MD5=95c88d25e211a4d52a82c53e5d93e634|MD5=aa55dd14064cb808613d09195e3ba749|MD5=ef1afb3a5ddad6795721f824690b4a69|MD5=db46c56849bbce9a55a03283efc8c280|MD5=991230087394738976dbd44f92516cae|MD5=3af19d325f9dcdf360276ae5e7c136ea|MD5=98763a3dee3cf03de334f00f95fc071a|MD5=4b194021d6bd6650cbd1aed9370b2329|MD5=517d484bdbad4637188ec7a908335b86|MD5=2ddd3c0e23bc0fd63702910c597298b4|MD5=120b5bbb9d2eb35ff4f62d79507ea63a|MD5=6bada94085b6709694f8327c211d12e1|MD5=5c5f1c2dc6c2479bafec7c010c41c6ec|MD5=ab81264493c218a0e875a0d50104ac9f|MD5=ea2ff60fcce3b9ffe0bd77658b88512d|MD5=76d1d4d285f74059f32b8ad19a146d0c|MD5=b9cf3294c13cdea624ab95ca3e2e483f|MD5=0cd0fe9d16b62415b116686a2f414f8c|MD5=2503c4cf31588f0b011eb992ca3ee7ff|MD5=f0470f82ba58bc4309f83a0f2aefa4d5|MD5=db72def618cbc3c5f9aa82f091b54250|MD5=2ff629de3667fcd606a0693951f1c1a9|MD5=119f0656ab4bb872f79ee5d421e2b9f9|MD5=55a7c51dc2aa959c41e391db8f6b8b4f|MD5=009876ab9cf3a3d4e3fc3afe13ae839e|MD5=f8a13d4413a93dd005fad116cbd6b6f7|MD5=5093f38d597532d59d4df9018056f0d1|MD5=00f887e74faad40e6e97d9d0e9c71370|MD5=0215d0681979987fe908fb19dab83399|MD5=7962d91b1f53ce55c7338788bd4eb378|MD5=1bca427ab8e67a9db833eb8f0ff92196|MD5=a730b97ab977aa444fa261902822a905|MD5=a453083b8f4ca7cb60cac327e97edbe2|MD5=afc2448b4080f695e76e059a96958cab|MD5=4f963d716a60737e5b59299f00daf285|MD5=ee59b64ae296a87bf7a6aee38ad09617|MD5=1c9d2a993e99054050b596d88b307d95|MD5=5cd0ec261c8c2a39d9105fbbcad4e5b9|MD5=4c6d311e0b13c4f469f717db4ab4d0e7|MD5=84fb76ee319073e77fb364bbbbff5461|MD5=d660fc7255646d5014d45c3bca9c6e20|MD5=ecccbf1e7c727f923c9d709707800e6c|MD5=94ccef76fda12ab0b8270f9b2980552b|MD5=f853abe0dc162601e66e4a346faed854|MD5=154fd286c96665946d55a7d49923ad7e|MD5=a5afd20e34bcd634ebd25b3ab2ff3403|MD5=c9c7113f5e15f70fcc576e835c859d56|MD5=ad22a7b010de6f9c6f39c350a471a440|MD5=7a6a6d6921cd1a4e1d61f9672a4560d6|MD5=9af5ae780b6a9ea485fa15f28ddb20a7|MD5=1f15a513abc039533ca996552ba27e51|MD5=d1bac75205c389d6d5d6418f0457c29b|MD5=36527fdb70ed6f74b70a98129f82ad62|MD5=3d5164e85d740bce0391e2b81d49d308|MD5=30550db8f400b1e11593dffd644abb67|MD5=b17fb1ad5e880467cf7e61b1ee8e3448|MD5=6f5d54ab483659ac78672440422ae3f1|MD5=f042e8318cf20957c2339d96690c3186|MD5=5158f786afa19945d19bee9179065e4d|MD5=328a2cb2da464b0c2beb898ff9ae9f3a|MD5=e7273e17ac85dc4272c4c4400091a19e|MD5=d74d202646e5a6d0d2c4207e1f949826|MD5=9ce1b0e5cfa8223cec3be1c7616e9f63|MD5=55cd6b46ac25bbe01245f2270a0d6cb8|MD5=b8b6686324f7aa77f570bc019ec214e6|MD5=d104621c93213942b7b43d65b5d8d33e|MD5=8cc5a4045a80a822cbc1e9eadff8e533|MD5=ef18d594c862d6d3704b777fa3445ac2|MD5=b941c8364308990ee4cc6eadf7214e0f|MD5=2ca1044a04cb2f0ce5bd0a5832981e04|MD5=f8fe655b7d63dbdc53b0983a0d143028|MD5=cd9f0fcecf1664facb3671c0130dc8bb|MD5=3e9ee8418f22a8ae0e2bf6ff293988fa|MD5=3bf217f8ef018ca5ea20947bfdfc0a4d|MD5=778b7feea3c750d44745d3bf294bd4ce|MD5=4514a0e8bcab7de4cff55999cdf00cd1|MD5=5228b7a738dc90a06ae4f4a7412cb1e9|MD5=159f89d9870e208abd8b912c3d1d3ae9|MD5=e425c66663c96d5a9f030b0ad4d219a8|MD5=85b756463ab0c000f816260d49923cde|MD5=acd221ff7cf10b6117fd609929cde395|MD5=a87689b1067edacc48fddf90020dee23|MD5=0d123be07e2dfd2b2ade49ad2a905a5b|MD5=3ae11bde32cdbd8637124ada866a5a7e|MD5=cc35379f0421b907004a9099611ee2cd|MD5=23b807c09b9b6ea85ed5c508aab200b7|MD5=26d973d6d9a0d133dfda7d8c1adc04b7|MD5=eba6b88bc7bca21658bda9533f0bbff8|MD5=9eb524c5f92e5b80374b8261292fdeb5|MD5=4a23e0f2c6f926a41b28d574cbc6ac30|MD5=c61876aaca6ce822be18adb9d9bd4260|MD5=aae268c4b593156bdae25af5a2a4af21|MD5=de711decdd763a73098372f752bf5a1c|MD5=1b32c54b95121ab1683c7b83b2db4b96|MD5=9aa7ed7809eec0d8bc6c545a1d18107a|MD5=07493c774aa406478005e8fe52c788b2|MD5=9b9d367cb53df0a2e0850760c840d016|MD5=70c2c29643ee1edd3bbcd2ef1ffc9a73|MD5=766f9ea38918827df59a6aed204d2b09|MD5=f670d1570c75ab1d8e870c1c6e3baba1|MD5=34edf3464c3f5605c1ca3a071f12e28c|MD5=bae1f127c4ff21d8fe45e2bbfc59c180|MD5=31469f1313871690e8dc2e8ee4799b22|MD5=79483cb29a0c428e1362ec8642109eee|MD5=c607c37af638fa4eac751976a6afbaa6|MD5=fb7637cfe8562095937f4d6cff420784|MD5=d98d2f80b94f70780b46d1f079a38d93|MD5=35fbc4c04c31c1a40e666be6529c6321|MD5=969f1d19449dc5c2535dd5786093f651|MD5=986f083e5fd01eea4ec3b2575a110a95|MD5=ccf523b951afaa0147f22e2a7aae4976|MD5=978cd6d9666627842340ef774fd9e2ac|MD5=9d8cb58b9a9e177ddd599791a58a654d|MD5=e3fda6120dfa016a76d975fdab7954f6|MD5=e99e86480d4206beb898dda82b71ca44|MD5=a2be99e4904264baa5649c4d4cd13a17|MD5=563b33cfc3c815feff659caaa94edc33|MD5=18b4bbeae6b07d2e21729b8698bbd25a|MD5=f51065667fb127cf6de984daea2f6b24|MD5=35c8fdf881909fa28c92b1c2741ac60b|MD5=477e02a8e31cde2e76a8fb020df095c2|MD5=6b6dfb6d952a2e36efd4a387fdb94637|MD5=f7d963c14a691a022301afa31de9ecef|MD5=9638f265b1ddd5da6ecdf5c0619dcbe6|MD5=2e48c3b8042fdcef0ed435562407bd21|MD5=ada5f19423f91795c0372ff39d745acf|MD5=702d5606cf2199e0edea6f0e0d27cd10|MD5=0809f48fd30845d983d569b847fa83cf|MD5=743c403d20a89db5ed84c874768b7119|MD5=ed6348707f177629739df73b97ba1b6e|MD5=f33c3f08536f988aac84d72d83b139a6|MD5=34686a4b10f239d781772e9e94486c1a|MD5=d77fb9fb256b0c2ec0258c39b80dc513|MD5=b2e4e588ce7b993cc31c18a0721d904d|MD5=eda6e97b453388bb51ce84b8a11d9d13|MD5=d90cdd8f2826e5ea3faf8e258f20dc40|MD5=736c4b85ce346ddf3b49b1e3abb4e72a|MD5=b5ada7fd226d20ec6634fc24768f9e22|MD5=843e39865b29bb3df825bd273f195a98|MD5=7671bbf15b7a8c8f59a0c42a1765136a|MD5=6c5e50ef2069896f408cdaaddd307893|MD5=67b5b8607234bf63ce1e6a52b4a05f87|MD5=24589081b827989b52d954dcd88035d0|MD5=8fcf90cb5f9cb7205c075c662720f762|MD5=812e960977116bf6d6c1ccf8b5dd351f|MD5=a4fda97f452b8f8705695a729f5969f7|MD5=6f7125540e5e90957ba5f8d755a8d570|MD5=5a1ee9e6a177f305765f09b0ae6ac1c5|MD5=4b42a7a6327827a8dbdecf367832c0cd|MD5=663f2fb92608073824ee3106886120f3|MD5=d6c4baecff632d6ad63c45fc39e04b2f|MD5=4ae55080ec8aed49343e40d08370195c|MD5=21be10f66bb65c1d406407faa0b9ba95|MD5=e9ccb6bac8715918a2ac35d8f0b4e1e6|MD5=a223f8584bcb978c003dd451b1439f8d|MD5=f30db62d02a69c36ccb01ac9d41dc085|MD5=d396332f9d7b71c10b3b83da030690f0|MD5=715ac0756234a203cb7ce8524b6ddc0d|MD5=b94ffce20e36b2930eb3ac72f72c00d6|MD5=efb4ed2040b9b3d408aab8dc15df5a06|MD5=8f1255efd2ed0d3b03a02c6b236c06d6|MD5=530feb1e37831302f58b7c219be6b844|MD5=2e219df70fccb79351f0452cba86623e|MD5=99c131567c10c25589e741e69a8f8aa3|MD5=6fb3d42a4f07d8115d59eb2ea6504de5|MD5=839cbbc86453960e9eb6db814b776a40|MD5=3c1f92a1386fa6cf1ba51bae5e9a98dd|MD5=46edb648c1b5c3abd76bd5e912dac026|MD5=bd067efb8cafd971142bc964b4f85df1|MD5=3db2afc15e7cc78bd11f4c726060db5c|MD5=01f092be2a36a5574005e25368426ad2|MD5=65c069af3875494ec686afbb0c3da399|MD5=ce65b7adcf954eb36df62ea3d4a628c7|MD5=ae5eb2759305402821aeddc52ba9a6d6|MD5=048549f7e9978aff602a24dea98ee48a|MD5=da8437200af5f3f790e301b9958993d2|MD5=590875a0b2eeb171403fc7d0f5110cb2|MD5=bc71da7c055e3172226090ba5d8e2248|MD5=d76b56b79b1c95e8dcd7ee88cb0d25ab|MD5=14eead4d42728e9340ec8399a225c124|MD5=1b2e3b7f2966f2f6e6a1bb89f97228e5|MD5=5e9d5c59ba1f1060f53909c129df3355|MD5=0ac31915ec9a6b7d4d4bba8fe6d60ff7|MD5=6909b5e86e00b4033fedfca1775b0e33|MD5=2b4e66fac6503494a2c6f32bb6ab3826|MD5=a125390293d50091b643cfa096c2148c|MD5=79bfbeb4e8cfdd0cb1d73612360bd811|MD5=389823db299b350f2ee830d47376eeac|MD5=a17c403c4b74d4fa920c3887066daeb2|MD5=1793e1d4247b29313325d1462dec81e2|MD5=c31610f4c383204a1fc105c54b7403c9|MD5=0ec31f45e2e698a83131b4443f9a6dd7|MD5=4885e1bf1971c8fa9e7686fd5199f500|MD5=f83c61adbb154d46dd8f77923aa7e9c3|MD5=5cc5c26fc99175997d84fe95c61ab2c2|MD5=49832b4f726cdff825257bee33ad8451|MD5=1493d342e7a36553c56b2adea150949e|MD5=df9953fa93e1793456a8d428ba7e5700|MD5=40bc58b7615d00eb55ad9ba700c340c1|MD5=ba2c0fa201c74621cddd8638497b3c70|MD5=3c9f9c1b802f66cf03cbe82dec2bd454|MD5=7d84a4ed0fcca3d098881a3f3283724b|MD5=0e14b69dcf67c20343f85f9fdb5b9300|MD5=17b97fbe2e8834d7ad30211635e1b271|MD5=7fbd3b4488a12eab56c54e7bb91516f3|MD5=9007c94c9d91ccff8d7f5d4cdddcc403|MD5=260eef181a9bf2849bfec54c1736613b|MD5=dbde0572d702d0a05c0d509d5624a4d7|MD5=5c5973d2caf86e96311f6399513ab8df|MD5=0703c1e07186cb98837a2ae76f50d42e|MD5=5970e8de1b337ca665114511b9d10806|MD5=2580fb4131353ec417b0df59811f705c|MD5=fa63a634189bd4d6570964e2161426b0|MD5=ee57cbe6ec6a703678eaa6c59542ff57|MD5=e140cb81bd27434fc4fd9080b7551922|MD5=49fe3d1f3d5c2e50a0df0f6e8436d778|MD5=a3af4a4fa6cba27284f8289436c2f074|MD5=192519661fe6d132f233d0355c3f4a6d|MD5=394e290aff9d4e78e504cedfb2d99350|MD5=2e7d824a49d731da9fc96262a29c85ce|MD5=f7cbbb5eb263ec9a35a1042f52e82ca4|MD5=2d8e4f38b36c334d0a32a7324832501d|MD5=443689645455987cb347154b391f734d|MD5=9258e3cb20e24a93d4afdee9f5a0299c|MD5=0067c788e1cb174f008c325ebde56c22|MD5=79f7e6f98a5d3ab6601622be4471027f|MD5=1c31d4e9ad2d2b5600ae9d0c0969fe59|MD5=2f1ebc14bd8a29b89896737ca4076002|MD5=43830326cd5fae66f5508e27cbec39a0|MD5=df5f8e118a97d1b38833fcdf7127ab29|MD5=8de7dcade65a1f51605a076c1d2b3456|MD5=fadf9c1365981066c39489397840f848|MD5=2c957aa79231fad8e221e035db6d0d81|MD5=fd81af62964f5dd5eb4a828543a33dcf|MD5=045ef7a39288ba1f4b8d6eca43def44f|MD5=90f8c1b76f786814d03ef4c51d4abb6d|MD5=17719a7f571d4cd08223f0b30f71b8b8|MD5=bdd8dc8880dfbc19d729ca51071de288|MD5=d79b8b7bed8d30387c22663b24e8c191|MD5=57cd52ed992b634e74d2ddf9853a73b3|MD5=1c294146fc77565030603878fd0106f9|MD5=b7946feaeae34d51f045c4f986fa62ce|MD5=86fd54c56dcafe2de918c36f8dfda67e|MD5=adc1e141b57505fd011bc1efb1ae6967|MD5=6822566b28be75b2a76446a57064369f|MD5=d9ce18960c23f38706ae9c6584d9ac90|MD5=935a7df222f19ac532e831e6bf9e8e45|MD5=664ad9cf500916c94fc2c0020660ac4e|MD5=356bda2bf0f6899a2c08b2da3ec69f13|MD5=dacb62578b3ea191ea37486d15f4f83c|MD5=89c7bd12495e29413038224cb61db02e|MD5=f60a9b88c6ff07d4990d8653d0025683|MD5=710b290a00598fbb1bcc49b30174b2c9|MD5=5c9f240e0b83df758993837d18859cbe|MD5=cb0c5d3639fcd810cde94b7b990aa51c|MD5=4d17b32be70ef39eae5d5edeb5e89877|MD5=0d4306983e694c1f34920bae12d887e6|MD5=2751c7fd7f09479fa2b15168695adebc|MD5=84ba7af6ada1b3ea5efb9871a0613fc6|MD5=0a653d9d0594b152ca835d0b2593269f|MD5=02198692732722681f246c1b33f7a9d9|MD5=9d884ecd3b6c3f2509851ea15ffefbef|MD5=3473faea65fba5d4fbe54c0898a3c044|MD5=013719e840e955c2e4cd9d18c94a2625|MD5=5e71c0814287763d529822d0a022e693|MD5=9f94028cbcf6789103cb5bb6fcef355d|MD5=0d8daf471d871deb90225d2953c0eb95|MD5=ad612a7eb913b5f7d25703cd44953c35|MD5=fe3fb6719e86481a3514ab9e00a55bcf|MD5=3e87e3346441539d3a90278a120766df|MD5=fa173832dca1b1faeba095e5c82a1559|MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5|MD5=803a371a78d528a44ef8777f67443b16|MD5=257483d5d8b268d0d679956c7acdf02d|MD5=02fc655279b8ea3ef37237c488b675cc|MD5=94999245e9580c6228b22ac44c66044c|MD5=88aada8325a3659736b3a7201c825664|MD5=92927c47d6ff139c9b19674c9d0088f6|MD5=05bf59560656c8a9a3191812b0e1235b|MD5=c098f8aeb67eeb2262dbf681690a9306|MD5=eb61616a7bc58e3f5b8cf855d04808c3|MD5=e3aaa0c1c3a5e99eb9970ebe4b5a3183|MD5=5efbbfcc6adac121c8e2fe76641ed329|MD5=4eb4069c230a5dc40cd5d60d2cb3e0d0|MD5=e0528f756bbb2ab83c60f9fd6f541e42|MD5=eb4de413782193e824773723d790cfc4|MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a|MD5=97580157f65612f765f39af594b86697|MD5=21e72a43aedefcd70ca8999cc353b51b|MD5=d6b259b2dfe80bdf4d026063accd752c|MD5=ca7b41ce335051bf9dd7fa4a55581296|MD5=084a13f18856d610d44d3109a9d2acde|MD5=a5f637d61719d37a5b4868c385e363c0|MD5=1392b92179b07b672720763d9b1028a5|MD5=1a5a95d6bedbe29e5acf5eb6a727c634|MD5=a71020c6d6d42c5000e9993425247e06|MD5=a9f220b1507a3c9a327a99995ff99c82|MD5=7c40ec9ed020cc9404de8fe3a5361a09|MD5=fe937e1ed4c8f1d4eac12b065093ae63|MD5=4ca0dba9e224473d664c25e411f5a3bd|MD5=2a8662e91a51d8e04a94fa580c7d3828|MD5=942c6a8332d5dd06d8f4b2a9cb386ff4|MD5=0283b43c6bc965175a1c92b255d39556|MD5=2d91d45cd09dfc3f8e89da1c261fd1ac|MD5=187ddca26d119573223cf0a32ba55a61|MD5=1549e6cbce408acaddeb4d24796f2eaf|MD5=6beb1d8146f5a4aaa2f7b8c0c9bced30|MD5=6cce5bb9c8c2a8293df2d3b1897941a2|MD5=e0fb44aba5e7798f2dc637c6d1f6ca84|MD5=de1cc5c266140bff9d964fab87a29421|MD5=66e0db8a5b0425459d0430547ecbb3db|MD5=03ca3b1cff154ab8855043abadd07956|MD5=2a5fb925125af951bd76c00579d61666|MD5=a2c5f994e9b4a74b2f5b51c7a44c4401|MD5=5c55fcfe39336de769bfa258ab4c901d|MD5=aa12c1cb47c443c6108bfe7fc1a34d98|MD5=8407ddfab85ae664e507c30314090385|MD5=be54aabf09c3fa4671b6efacafa389e3|MD5=296bde4d0ed32c6069eb90c502187d0d|MD5=1d768959aaa194d60e4524ce47708377|MD5=dca1c62c793f84bb2d8e41ca50efbff1|MD5=2a5ccd95292f03f0dd4899d18b55b428|MD5=1f950cfd5ed8dd9de3de004f5416fe20|MD5=35493772986f610753be29121cd68234|MD5=6212832f13b296ddbc85b24e22edb5ec|MD5=9b157f1261a8a42e4ef5ec23dd4cda9e|MD5=b89b097b8b8aecb8341d05136f334ebb|MD5=8942e9fa2459b1e179a6535ca16a2fb4|MD5=64efbffaa153b0d53dc1bccda4279299|MD5=70dcd07d38017b43f710061f37cb4a91|MD5=537e2c3020b1d48b125da593e66508ec|MD5=05b4463677e2566414ad53434ad9e7e5|MD5=7be3a7a743f2013c3e90355219626c2c|MD5=7f258c0161e9edca8e7f85ac0dd68e46|MD5=81df475ab8d37343f0ad2a55b1397a8f|MD5=f0aeb731d83f7ab6008c92c97faf6233|MD5=507a649eb585d8d0447eab0532ef0c73|MD5=5c5e3c7ca39d9472099ea81c329b7d75|MD5=a31246180e61140ad7ff9dd7edf1f6a1|MD5=9226339848e359f5e4cd519bef7dcd39|MD5=f544f9925cab71786e57241c10e08633|MD5=88d2143ae62878dada3aa0a6d8f7cea8|MD5=c06dda757b92e79540551efd00b99d4b|MD5=41ce6b172542a9a227e34a45881e1d2a|MD5=9bcb97a1697a70f59405786759af63b8|MD5=17c7bcae7ebabb95af2f7c91b19c361c|MD5=aaa8999a169e39fb8b48ae49cd6ac30a|MD5=9a5a35112c4f8016abcc6363b44d3385|MD5=6b2df08bacf640cc2ac6f20c76af07ee|MD5=ab4656d1ec4d4cc83c76f639a5340e84|MD5=697f698b59f32f66cd8166e43a5c49c7|MD5=4e90cd77509738d30d3181a4d0880bfa|MD5=e3bdb307b32b13b8f7e621e8d5cc8cd3|MD5=16472fca75ab4b5647c99de608949cde|MD5=24fe18891c173a7c76426d08d2b0630e|MD5=2faa725dd9bb22b2100e3010f8a72182|MD5=251e1ce4e8e9b9418830ed3dc8edd5e3|MD5=1f3522c5db7b9dcdd7729148f105018e|MD5=d5a642329cce4df94b8dc1ba9660ae34|MD5=b2600502a5b962b8cdfac2ead24b17b4|MD5=c9cb486b4f652c9cfb8411803f8ed5f0|MD5=73c98438ac64a68e88b7b0afd11ba140|MD5=ab7b28b532beba6a6c0217bc406b80ee|MD5=75dbd5db9892d7451d0429bec1aabe1a|MD5=d4a10447fdaff7a001715191c1f914b6|MD5=31eca8c0b32135850d5a50aee11fec87|MD5=2cc65e805757cfc4f87889cdceb546cd|MD5=96b463b6fa426ae42c414177af550ba2|MD5=ef5ba21690c2f4ba7e62bf022b2df1f7|MD5=f406c5536bcf9bacbeb7ce8a3c383bfa|MD5=1ed043249c21ab201edccb37f1d40af9|MD5=86635fdc8e28957e6c01fc483fe7b020|MD5=520c18f50d3cb2ce162767c4c1998b86|MD5=569676d3d45b0964ac6dd0815be8ff8c|MD5=3f39f013168428c8e505a7b9e6cba8a2|MD5=68726474c69b738eac3a62e06b33addc|MD5=c04a5cdcb446dc708d9302be4e91e46d|MD5=a179c4093d05a3e1ee73f6ff07f994aa|MD5=1a22a85489a94db6ff68cd624ef43bad|MD5=4ad30223df1361726ff64417f8515272|MD5=4cee9945f9a3e8f2433f5aa8c58671fb|MD5=f56f30ac68c35dd4680054cdfd8f3f00|MD5=31a331a88c6280555859455518a95c35|MD5=650f6531db6fb0ed25d7fc70be35a4da|MD5=82854a57630059d1ce2870159dc2f86b|MD5=d556cb79967e92b5cc69686d16c1d846|MD5=5b1e1a9dade81f1e80fdc0a2d3f9006e|MD5=d9e7e5bcc5b01915dbcef7762a7fc329|MD5=a60c9173563b940203cf4ad38ccf2082|MD5=95a95e28cf5ee4ece6ffbaf169358192|MD5=397580c24c544d477688fcfca9c9b542|MD5=c5d1f8ed329ebb86ddd01e414a6a1718|MD5=ab4ee84e09b09012ac86d3a875af9d43|MD5=c9a293762319d73c8ee84bcaaf81b7b3|MD5=a641e3dccba765a10718c9cb0da7879e|MD5=dd39a86852b498b891672ffbcd071c03|MD5=715f8efab1d1c660e4188055c4b28eed|MD5=c046ca4da48db1524ddf3a49a8d02b65|MD5=f5e6ef0dcbb3d4a608e9e0bba4d80d0a|MD5=bf581e9eb91bace0b02a2c5a54bf1419|MD5=d6c2e061b21c32c585aca5f38335c21c|MD5=7aa34cd9ea5649c24a814e292b270b6f|MD5=5eabc87416f59e894adfde065d0405fa|MD5=7ffdd78d63ca7307a96843cfe806799e|MD5=bbbc9a6cc488cfb0f6c6934b193891eb|MD5=113056ec5c679b6f74c9556339ebf962|MD5=f7745b42882dec947f6629ab9b7c39b7|MD5=4b60ef388071e0baf299496e3d6590ae|MD5=c006d1844f20b91d0ea52bf32d611f30|MD5=a0074303fe697a36d9397c0122e04973|MD5=ff7b31fa6e9ab923bce8af31d1be5bb2|MD5=2e887e52e45bba3c47ccd0e75fc5266f|MD5=7eeb4c0cb786a409b94066986addf315|MD5=e28ce623e3e5fa1d2fe16c721efad4c2|MD5=0eb3dfeffb49d32310d96f3aa3e8ca61|MD5=a15235fcec1c9b65d736661d4bec0d38|MD5=0ad87bba19f0b71ccb2d32239abd49ec|MD5=1c9001dcd34b4db414f0c54242fedf49|MD5=490b1f404c4f31f4538b36736c990136|MD5=1dc94a6a82697c62a04e461d7a94d0b0|MD5=555446a3ca8d9237403471d4744e39f4|MD5=100fe0bc0c183d16e1f08d1a2ad624a8|MD5=37086ae5244442ba552803984a11d6cb|MD5=5d4df0bac74e9ac62af6bc99440b050b|MD5=94cdf2cf363be5a8749670bea4db65cd|MD5=3a48f0e4297947663fbb11702aa1d728|MD5=98583b2f2efe12d2a167217a3838c498|MD5=7437d4070b5c018e05354c179f1d5e2a|MD5=7d46d0ddaf8c7e1776a70c220bf47524|MD5=3c4154866f3d483fdc9f4f64ef868888|MD5=91203acddac81511d17a68a030d063a8|MD5=7d87a9c54e49943bf18574c6f02788ee|MD5=8d63e1a9ff4cafee1af179c0c544365c|MD5=34069a15ae3aa0e879cd0d81708e4bcc|MD5=e4788e5b3e5f0a0bbb318a9c426c2812|MD5=1c591efa8660d4d36a75db9b82474174|MD5=e9e786bdba458b8b4f9e93d034f73d00|MD5=d5db81974ffda566fa821400419f59be|MD5=a926b64be7c27ccb96e687a3924de298|MD5=1c4acf27317a2b5eaedff3ce6094794d|MD5=cd1c8a66e885b7a8b464094395566a46|MD5=edfa69e9132a56778d6363cd41843893|MD5=1ed08a6264c5c92099d6d1dae5e8f530|MD5=f690bfc0799e51a626ba3931960c3173|MD5=7c983b4e66c4697ad3ce7efc9166b505|MD5=4a06bcd96ef0b90a1753a805b4235f28|MD5=c28b4a60ebd4b8c12861829cc13aa6ff|MD5=e700a820f117f65e813b216fccbf78c9|MD5=515c75d77c64909690c18c08ef3fc310|MD5=7056549baa6da18910151b08121e2c94|MD5=61b068b10abfa0776f3b96a208d75bf9|MD5=c901887f28bbb55a10eb934755b47227|MD5=0761c357aed5f591142edaefdf0c89c8|MD5=f141db170bb4c6e088f30ddc58404ad3|MD5=6d97ee5b3300d0f7fa359f2712834c40|MD5=53f103e490bc11624ef6a51a6d3bdc05|MD5=3482acba11c71e45026747dbe366a7d9|MD5=7475bfea6ea1cd54029208ed59b96c6b|MD5=d011d5fecdc94754bf02014cb229d6bc|MD5=42f7cc4be348c3efd98b0f1233cf2d69|MD5=45c2d133d41d2732f3653ed615a745c8|MD5=71fffc05cff351a6f26f78441cfebe26|MD5=da6f7407c4656a2dbaf16a407aff1a38|MD5=5dd25029499cd5656927e9c559955b07|MD5=a82c01606dc27d05d9d3bfb6bb807e32|MD5=8a973be665923e9708974e72228f9805|MD5=312e31851e0fc2072dbf9a128557d6ef|MD5=4ff880566f22919ed94ffae215d39da5|MD5=fcc5de75c1837b631ed77ea4638704b9|MD5=279f3b94c2b9ab5911515bc3e0ecf175|MD5=61d6b1c71ad94f8485e966bebc36d092|MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85|MD5=4a829b8cf1f8fdb69e1d58ae04e6106e|MD5=e4d4a22cbf94e6b0a92fc36d46741f56|MD5=e4a0bba88605d4c07b58a2cc3fac0fe9|MD5=272446de15c63095940a3dad0b426f21|MD5=f160ecce1500a5a5877c123584e86b17|MD5=0a2ec9e3e236698185978a5fc76e74e6|MD5=21ca6a013a75fcf6f930d4b08803973a|MD5=e432956d19714c65723f9c407ffea0c5|MD5=4e4b9bdcc6b8d97828ae1972d750a08d|MD5=67e3b720cee8184c714585a85f8058a0|MD5=03c9d5f24fd65ad57de2d8a2c7960a70|MD5=f65e545771fd922693f0ec68b2141012|MD5=7a16fca3d56c6038c692ec75b2bfee15|MD5=5adebdb94abb4c76dad2b7ecb1384a9d|MD5=003dc41d148ec3286dc7df404ba3f2aa|MD5=0490f5961e0980792f5cb5aedf081dd7|MD5=d3e40644a91327da2b1a7241606fe559|MD5=49938383844ceec33dba794fb751c9a5|MD5=f7393fb917aed182e4cbef25ce8af950|MD5=549e5148be5e7be17f9d416d8a0e333e|MD5=9a237fa07ce3ed06ea924a9bed4a6b99|MD5=96fb2101f85fa81871256107bdd25169|MD5=aa9adcf64008e13d7e68b56fdd307ead|MD5=62eed4173c566a248531fb6f20a5900d|MD5=87982977500b93330df08bf372435641|MD5=9e0af1fe4d6dd2ca4721810ed1c930d6|MD5=9b5533c4af38759d167d5399e83b475f|MD5=bd5d4d07ae09e9f418d6b4ac6d9f2ed5|MD5=22ca5fe8fb0e5e22e6fb0848108c03f4|MD5=7b43dfd84de5e81162ebcfafb764b769|MD5=ccb09eb78e047c931708149992c2e435|MD5=8c1d181480796d7d3366a9381fd7782d|MD5=b5192270857c1f17f7290acbaadf097d|MD5=fe71c99a5830f94d77a8792741d6e6c7|MD5=238769fd8379ec476c1114bd2bd28ca6|MD5=cf7aeedd674417b648fc334d179c94ae|MD5=52b7cd123f6d1b9ed76b08f2ee7d9433|MD5=8d14b013fc2b555e404b1c3301150c34|MD5=2e492f14a1087374368562d01cd609aa|MD5=65e6718a547495c692e090d7887d247b|MD5=51e7b58f6e9b776568ffbd4dd9972a60|MD5=84c4d8ae023ca9bb60694fa467141247|MD5=69ac6165912cb263a656497cc70155e6|MD5=30efb7d485fc9c28fe82a97deac29626|MD5=f4b2580cf0477493908b7ed81e4482f8|MD5=fc6dadb97bd3b7a61d06f20d0d2e1bac|MD5=595363661db3e50acc4de05b0215cc6f|MD5=cec257dcac9e708cefb17f8984dd0a70|MD5=0e51d96a3b878b396708535f49a6d7cb|MD5=f34489c0f0d0a16b4db8a17281b57eba|MD5=80b4041695810f98e1c71ff0cf420b6d|MD5=7978d858168fadd05c17779da5f4695a|MD5=557fd33ee99db6fe263cfcb82b7866b3|MD5=7b9e1e5e8ff4f18f84108bb9f7b5d108|MD5=9b91a44a488e4d539f2e55476b216024|MD5=3b23808de1403961205352e94b8f2f9b|MD5=13bd61916343d94ebefc9a7911d7bf88|MD5=936729b8dc2282037bc1504c2680e3ad|MD5=9f70cd5edcc4efc48ae21e04fb03be9d|MD5=75e50ae2e0f783e0caf912f45e15248a|MD5=444f538daa9f7b340cfd43974ed43690|MD5=8b47c5580b130dd3f580af09323bc949|MD5=daf11013cf4c879a54ed6a86a05bee3c|MD5=eff3a9cc3e99ef3ddae57df72807f0c7|MD5=9982da703f13140997e137b1e745a2e3|MD5=f778489c7105a63e9e789a02412aaa5f|MD5=723381977ce7df57ec623db52b84f426|MD5=1db988eb9ac5f99756c33b91830a9cf6|MD5=c02f70960fa934b8defa16a03d7f6556|MD5=5e35c049bc8076406910da36edf9212d|MD5=241a095631570a9cef4f126c87605c60|MD5=bbe4f5f8b0c0f32f384a83ae31f49a00|MD5=b418293e25632c5f377bf034bb450e57|MD5=4f191abc652d8f7442ca2636725e1ed6|MD5=34e55ccceec34a8567c8b95d662ba886|MD5=4f5ca81806098204c4dea0927a8fec66|MD5=8b287636041792f640f92e77e560725e|MD5=56a515173b211832e20fbc64e5a0447c|MD5=2315a8919cfb167e718d8c788ed3ceca|MD5=2d465b4487dc81effaa84f122b71c24f|MD5=29ccff428e5eb70ae429c3da8968e1ec|MD5=28d6b138adc174a86c0f6248d8a88275|MD5=9beecfb3146f19400880da61476ef940|MD5=d5556c54c474cf0bff25804bfbe788d3|MD5=f7a09ac4a91a6390f8d00bf09f53ae37|MD5=0d6fef14f8e1ce5753424bd22c46b1ce|MD5=06897b431c07886454e0681723dd53e6|MD5=c533d6d64b474ffc3169a0e0fc0a701a|MD5=c52dce2bee8ec88748411e470ff531f6|MD5=71858fa117e6f3309606d5cdb57e6e09|MD5=259381daae0357fbfefe1d92188c496a|MD5=ceac1347acae9ad9496d4b0593256522|MD5=4124de3cb72f5dfd7288389862b03f2a|MD5=edbf206c27c3aa7d1890899dffcc03ec|MD5=a5ff71e189b462d2b1f0e9e8c4668d79|MD5=c49a1956a6a25ffc25ad97d6762b0989|MD5=c475c7d0f2d934f150b6c32c01479134|MD5=eb7f6d01c97783013115ad1a2833401a|MD5=e98f4cc2cbf9ec23fd84da30c0625884|MD5=bf74d0706f5ab9c34067192260f4efb0|MD5=0752f113d983030939b4ab98b0812cf0|MD5=7c22b7686c75a2bb7409b3c392cc791a|MD5=07efb8259b42975d502a058db8a3fd21|MD5=def0da6c95d14f7020e533028224250e|MD5=d4a9f80ecb448da510e5bf82c4a699ee|MD5=c5e7e8ca0d76a13a568901b6b304c3ba|MD5=59f6320772a2e6b0b3587536be4cc022|MD5=0cd2504a2e0a8ad81d9a3a6a1fad7306|MD5=0ccc4e9396e0be9c4639faec53715831|MD5=c15eb30e806ad5e771b23423fd2040b0|MD5=f3d14fcdb86db8d75416ce173c6061af|MD5=637f2708da54e792c27f1141d5bb09cd|MD5=779af226b7b72ff9d78ce1f03d4a3389|MD5=a17c58c0582ee560c72f60764ed63224|MD5=c2c1b8c00b99e913d992a870ed478a24|MD5=2b6a17ec50d3a21e030ed78f7acbd2af|MD5=76bb1a4332666222a8e3e1339e267179|MD5=0ef05030abd55ba6b02faa2c0970f67f|MD5=56a9e9b5334f8698a0ede27c64140982|MD5=9e0659d443a2b9d1afc75a160f500605|MD5=bc6ff00fb3a14437c94b37ac9a2101d4|MD5=2da209dde8188076a9579bd256dc90d0|MD5=11dc5523bb559f8d2ce637f6a2b70dea|MD5=12908c285b9d68ee1f39186110df0f1e|MD5=73a40e29f61e5d142c8f42b28a351190|MD5=0797bb21d7a0210fedf4f3533ee82494|MD5=6846c2035b4c56b488d2ce2c69a57261|MD5=dbf11f3fad1db3eb08e2ee24b5ebfb95|MD5=41339c852c6e8e4c94323f500c87a79c|MD5=ce57844fb185d0cdd9d3ce9e5b6a891d|MD5=3ab94fba7196e84a97e83b15f7bcb270|MD5=0291ced808eafe406d3d9b56d2fc0c26|MD5=3836e2db9034543f63943cdbb52a691a|MD5=0dff47f3b14fb1c1bad47cc517f0581a|MD5=e8ebba56ea799e1e62748c59e1a4c586|MD5=2c54859a67306e20bfdc8887b537de72|MD5=4e67277648c63b79563360dac22b5492|MD5=26ce59f9fc8639fd7fed53ce3b785015|MD5=2927eac51c46944ab69ba81462fb9045|MD5=1a6e12c2d11e208bdf72a8962120fae7|MD5=daf800da15b33bf1a84ee7afc59f0656|MD5=9cbdb5fb6dc63cb13f10b6333407cbb9|MD5=9650db2ef0a44984845841ab24972ced|MD5=96a8b535b5e14b582ca5679a3e2a5946|MD5=33b3842172f21ba22982bfb6bffbda27|MD5=2391fb461b061d0e5fccb050d4af7941|MD5=8bf290b5eda99fc2697373a87f4e1927|MD5=5fade7137c14a94b323f3b7886fba2a9|MD5=a89ca92145fc330adced0dd005421183|MD5=96421b56dbda73e9b965f027a3bda7ba|MD5=d6e9f6c67d9b3d790d592557a7d57c3c|MD5=6fa271b6816affaef640808fc51ac8af|MD5=94d45bb36b13f4e936badb382fc133fe|MD5=e027daa2f81961d09aef88093e107d93|MD5=b1b8e6b85dd03c7f1290b1a071fc79c1|MD5=07fc1e043654fdde56da98d93523635c|MD5=118f3fdba730094d17aa1b259586aef6|MD5=2714c93eb240375a2893ed7f8818004f|MD5=641243746597fbd650e5000d95811ea3|MD5=449bb1c656fa30de7702f17e35b11cd3|MD5=96c850e53caca0469e1c4604e6c1aad1|MD5=12cecc3c14160f32b21279c1a36b8338|MD5=949ef0df929a71d6cc77494dfcb1ddeb|MD5=8065a7659562005127673ac52898675f|MD5=1033f0849180aac4b101a914bc8c53b4|MD5=8f73c1c48ffddfca7d1a98faf83d18ff|MD5=648adec580746afbbf59904c1e150c73|MD5=e84605c8e290de6b92ce81d2f6a175d2|MD5=300d6ac47a146eb8eb159f51bc13f7cf|MD5=392d7180653b0ca77a78bdf15953d865|MD5=f0e21ababe63668fb3fbd02e90cd1fa9|MD5=e0bfbdf3793ea2742c03f5a82cb305a5|MD5=00143c457c8885fd935fc5d5a6ba07a4|MD5=c8d3784a3ab7a04ad34ea0aba32289ca|MD5=9532893c1d358188d66b0d7b0784bb6b|MD5=564d84a799db39b381a582a0b2f738c4|MD5=fd3b7234419fafc9bdd533f48896ed73|MD5=be5f46fd1056f02a7a241e052fa5888f|MD5=2128e6c044ee86f822d952a261af0b48|MD5=4b817d0e7714b9d43db43ae4a22a161e|MD5=eaec88a63db9cf9cee53471263afe6fb|MD5=ecdc79141b7002b246770d01606504f2|MD5=ad866d83b4f0391aecceb4e507011831|MD5=88a6d84f4f1cc188741271ac1999a4e9|MD5=8580165a2803591e007380db9097bbcc|MD5=5c4df33951d20253a98aa7b5e78e571a|MD5=27d21eeff199ed555a29ca0ea4453cfb|MD5=43bfc857406191963f4f3d9f1b76a7bf|MD5=0fbf893691a376b168d8cdf427b89945|MD5=1762105b28eb90d19e9ab3acde16ead6|MD5=b41dcdb2e710dffba2d8ea1defb0f087|MD5=c42caa9cdcc50c01cb2fed985a03fe23|MD5=c516acb873c7f8c24a0431df8287756e|MD5=343ada10d948db29251f2d9c809af204|MD5=790ccca8341919bb8bb49262a21fca0e|MD5=51207adb8dab983332d6b22c29fe8129|MD5=f1e054333cc40f79cfa78e5fbf3b54c2|MD5=7c4e513702a0322b0e3bce29dea9e3e9|MD5=8ac6d458abbe4f5280996eb90235377c|MD5=6a1ff4806c1a6e897208f48a1f5b062f|MD5=a4531040276080441974d9e00d8d4cfa|MD5=d1f9ffe5569642c8f8c10ed7ee5d9391|MD5=09b3d078ffa3b4ed0ad2e477a2ee341f|MD5=83601bbe5563d92c1fdb4e960d84dc77|MD5=1414629b1ee93d2652ff49b2eb829940|MD5=84b17daba8715089542641990c1ea3c2|MD5=6ae4dec687ac6d1b635a4e351dddf73e|MD5=9dfd73dadb2f1c7e9c9d2542981aaa63|MD5=1e1a3d43bd598b231207ff3e70f78454|MD5=07f83829e7429e60298440cd1e601a6a|MD5=7c72a7e1d42b0790773efd8700e24952|MD5=f41eea88057d3dd1a56027c4174eed22|MD5=f53fa44c7b591a2be105344790543369|MD5=08e06b839499cb4b752347399db41b57|MD5=c3fea895fe95ea7a57d9f4d7abed5e71|MD5=785045f8b25cd2e937ddc6b09debe01a|MD5=53bb10742e10991af4ad280fcb134151|MD5=76c643ab29d497317085e5db8c799960|MD5=bce7f34912ff59a3926216b206deb09f|MD5=c4f5619ce04d4bee38024d08513c77fd|MD5=2a3ce41bb2a7894d939fbd1b20dae5a0|MD5=86bec99cd121b0386a5acc1c368a9d49|MD5=e076dadf37dd43a6b36aeed957abee9e|MD5=4a85754636c694572ca9f440d254f5ce|MD5=f4b7b84a6828d2f9205b55cf8cfc7742|MD5=8f5b84350bfc4fe3a65d921b4bd0e737|MD5=f9d04e99e4cab90973226a4555bc6d57|MD5=bc5366760098dc14ec00ae36c359f42b|MD5=b79475c4783efdd8122694c6b5669a79|MD5=5f4a232d92480a1bebbe025ef64dc760|MD5=1cff7b947f8c3dea1d34dc791fc78cdc|MD5=69ba501a268f09f694ff0e8e208aa20e|MD5=030c8432981e4d41b191624b3e07afe2|MD5=c56a9ed0192c5a2b39691e54f2132a2f|SHA1=38a863bcd37c9c56d53274753d5b0e614ba6c8bb|SHA1=87d2b638e5dfab1e37961d27ca734b83ece02804|SHA1=1a56614ea7d335c844b7fc6edd5feb59b8df7b55|SHA1=f02af84393e9627ba808d4159841854a6601cf80|SHA1=75649b228a22ce1e2a306844e0d48f714fb03f28|SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6|SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001|SHA1=388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5|SHA1=fce3a95b222c810c56e7ed5a3d7fb059eb693682|SHA1=f4728f490d741b04b611164a7d997e34458e3a5e|SHA1=4d516b1c9b7a81de2836ab24ba6b880c11807255|SHA1=bda26e533ef971d501095950010081b772920afc|SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b|SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0|SHA1=b82c034e41d463f4e68b0a7d334f2d7611049bcb|SHA1=8795df6494b724d9f279f007db33c24c27a91d08|SHA1=b8d19cd28788ce4570623a5433b091a5fbd4c26d|SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4|SHA1=72f16e6a18ba87248dd72f52445c916ad2e4edc2|SHA1=c0568bcdf57db1fa43cdee5a2a12b768a0064622|SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad|SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f|SHA1=0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84|SHA1=6102b73489e1d319c0db7b84cb2c426c5f680120|SHA1=c16d7b2fbe69a28ccbcf87348903277f22805bf3|SHA1=c21510569fd84a5fe04508aa28e3cf9c8cc45b7a|SHA1=2207cdee7deaba1492ae2349392864f19eb4dfaf|SHA1=2f86a4828ba86034f0c043db3e3db33aa2cf5da5|SHA1=569f4605c65c2a217b28aefeb8570f9ea663e4b7|SHA1=cd828ee0725f6185861fd0a9d3bd78f1d96e55bf|SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b|SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124|SHA1=7877bd7da617ec92a5c47f0da1f0abcf6484d905|SHA1=3adea4a3a91504dc2e3c5e9247c6427cd5c73bab|SHA1=55015f64783ddd148674a74d8137bcd6ccd6231d|SHA1=f8d7369527cc6976283cc73cd761f93bd1cec49d|SHA1=8fb149fc476cf5bf18dc575334edad7caf210996|SHA1=091df975fa983e4ad44435ca092dbf84911f28a5|SHA1=928d26cce64ad458e1f602cc2aea848e0b04eaaf|SHA1=a7baff6666fc2d259c22f986b8a153c7b1d1d8be|SHA1=90d73db752eac6ffc53555281fc5aa92297285ec|SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1|SHA1=a0bf00e4ef2b1a79ccf2361c6b303688641ed94c|SHA1=4a2bb97d395634b67194856d79a1ee5209aa06a7|SHA1=e0ee5ea6693c26f21b143ef9b133f53efe443b1e|SHA1=c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860|SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f|SHA1=c05df2e56e05b97e3ca8c6a61865cae722ed3066|SHA1=dbf6e72c08824fe49c29b7660c9965c37d983e93|SHA1=bed323603a33fa8b2fc7568149345184690f0390|SHA1=2365a66c1eddfcf8385d9ff38ba8bd5f6f2e4fc2|SHA1=59b0b8e3478f3d21213a8afda84181c4ed0a79a7|SHA1=297fdf58e60d54bcddf2694c21ceb9da9ec17915|SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b|SHA1=adf9328e60c714ff0b98083bcf2f4ee2d58b960b|SHA1=78834ff75e2ff8b7456e85114802e58bc9fda457|SHA1=0a5ef5b72e621a639860c03f1cac499567082f39|SHA1=aadaec4c31d661c249e4cf455ec752fffa3e5cfc|SHA1=492a47426b04f00c0d5b711ad8c872aad3aa3a1d|SHA1=064847af77afca8a879a9bf34cb87b64b5e69165|SHA1=468cc011807704c04892ed209cf81d7896a12a0c|SHA1=1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41|SHA1=fc62b746e0e726537bf848b48212f46db585af6d|SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f|SHA1=eceb51233f013e04406da11482324d45e70281c7|SHA1=ff9887cfd695916a06319b3a96f7ab2e6343a20e|SHA1=67e87ca093da64a23cf0fc0be2b35e03d1bf1543|SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82|SHA1=62244c704b0f227444d3a515ea0dc1003418a028|SHA1=4d6e532830058fadd861ff9eac16de8cfc6974ce|SHA1=ebced350ea447df8e10ebb080e3a3e5b32aca348|SHA1=6de3d5c2e33d91eef975a30bc07b0e53a68e77b8|SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86|SHA1=0be77bb3720283c9a970a97dab25d2a312e86110|SHA1=213ba055863d4226da26a759e8a254062ea77814|SHA1=9099482b26e9ba8e1d303418afc9111a3bffd6b3|SHA1=623cd2abef6c92255f79cbbd3309cb59176771da|SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8|SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e|SHA1=461882bd59887617cadc1c7b2b22d0a45458c070|SHA1=f6d826d73bf819dbc9a058f2b55c88d6d4b634e3|SHA1=8278db134d3b505c735306393fdf104d014fb3bf|SHA1=22c909898f5babe37cc421b4f5ed0522196f8127|SHA1=e8311ba74bc6b35b1171b81056d0148913b1d61c|SHA1=3eea0f5fb180c6f865fc83ac75ef3ad5b1376775|SHA1=8e2511ae90643584ceb0d98f0f780cd6b7290604|SHA1=8a922499f7a1b978555b46c30f90de1339760c74|SHA1=2540205480ea3d59e4031de3c6632e3ce2596459|SHA1=8edcd4b35f5ae88d14e83252390659c6fc79eae3|SHA1=aaffdc89befa42e375f822366bbded8c245baf94|SHA1=1d9fd846e12104ae31fd6f6040b93fc689abf047|SHA1=3d3b42d7b0af68da01019274e341b03d7c54f752|SHA1=88811e1a542f33431b9f8b74cb8bf27209b27f17|SHA1=67b45c1e204d44824cd7858455e1acedbd7ffbb3|SHA1=fff7ee0febb8c93539220ca49d4206616e15c666|SHA1=205c69f078a563f54f4c0da2d02a25e284370251|SHA1=d302ae7f016299af323a3542d840004888ab91ff|SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370|SHA1=228b1ff5cd519faa15d9c2f8cfefd7e683bc3f2b|SHA1=63cf021c8662fa23ce3e4075a4f849431e473058|SHA1=ca4d2bd6022f71e1a48b08728c0ac83c68e91281|SHA1=d43b2ac1221f2eaf2c170788280255cfef3edd72|SHA1=db3ce886a47027c09bb668c7049362ab86c82ceb|SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1|SHA1=745bad097052134548fe159f158c04be5616afc2|SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978|SHA1=0e47bd9b67500a67ce18c24328d6d0db8ae2c493|SHA1=ef95f500b60c49f40ed6ce3014ffdb294b301e95|SHA1=2ee7b3f6bcc9e95a9ae60bcb9bbc483b0400077d|SHA1=b3f5185d7824ea2c2d931c292f4d8f77903a4d2a|SHA1=029c678674f482ababe8bbfdb93152392457109d|SHA1=aadebbcbde0e7edd35e29d98871289a75e744aad|SHA1=a88546fb61a2fa7dab978a9cb678469e8f0ed475|SHA1=90abd7670c84c47e6ffc45c67d676db8c12b1939|SHA1=4fe873544c34243826489997a5ff14ed39dd090d|SHA1=d06d119579156b1ec732c50f0f64358762eb631a|SHA1=27eab595ec403580236e04101172247c4f5d5426|SHA1=d1670bd08cfd376fc2b70c6193f3099078f1d72f|SHA1=7ee675f0106e36d9159c5507b96c3237fb9348cd|SHA1=fde6ab389a6e0a9b2ef1713df9d43cca5f1f3da8|SHA1=d61acd857242185a56e101642d15b9b5f0558c26|SHA1=9d44260558807daff61a0cc0c6a8719c3adacd2d|SHA1=3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0|SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c|SHA1=a951953e3c1bb08653ed7b0daec38be7b0169c27|SHA1=35f803d483af51762bee3ec130de6a03362ce920|SHA1=ed3f11383a47710fa840e13a7a9286227fa1474c|SHA1=004d9353f334e42c79a12c3a31785a96f330bbef|SHA1=0b77242d4e920f2fcb2b506502cfe3985381defc|SHA1=8146ed4a9c9a2f7e7aeae0a0539610c3c1cd3563|SHA1=2261198385d62d2117f50f631652eded0ecc71db|SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e|SHA1=ef0504dd90eb451f51d2c4f987fb7833c91c755b|SHA1=34b2986f1ff5146f7145433f1ef5dfe6210131d0|SHA1=472cc191937349a712aabcbc4d118c1c982ab7c9|SHA1=7c43d43d95232e37aa09c5e2bcd3a7699d6b7479|SHA1=de2c073c8b4db6ffd11a99784d307f880444e5d3|SHA1=e88259de797573fa515603ad3354aed0bce572f1|SHA1=f70eb454c0e9ea67a18c625faf7a666665801035|SHA1=4a2e034d2702aba6bca5d9405ba533ed1274ff0c|SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562|SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2|SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451|SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1|SHA1=5b866f522bcdf80e6a9fda71b385f917317f6551|SHA1=4a7d66874a0472a47087fabaa033a85d47413379|SHA1=517504aaf8afc9748d6aec657d46a6f7bbc60c09|SHA1=f0d6b0bcd5f47b41d3c3192e244314d99d1df409|SHA1=3f43412c563889a5f5350f415f7040a71cc25221|SHA1=8031ecbff95f299b53113ccd105582defad38d7b|SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e|SHA1=55c64235d223baeb8577a2445fdaa6bedcde23db|SHA1=12154f58b68902a40a7165035d37974128deb902|SHA1=fa60a89980aad30db3a358fb1c1536a4d31dff6c|SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63|SHA1=9310239b75394b75a963336fbd154038fc13c4e3|SHA1=7673cebd15488cbbb4ca65209f92faab3f933205|SHA1=3a3342f4ca8cc45c6b86f64b1a7d7659020b429f|SHA1=190c20e130a9156442eebcf913746c69b9485eec|SHA1=3c9c86c0b215ecbab0eeb4479c204dba65258b8e|SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89|SHA1=c00ad2a252b53cf2d0dc74b53d1af987982e1ad1|SHA1=3f223581409492172a1e875f130f3485b90fbe5f|SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344|SHA1=7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0|SHA1=d32408c3b79b1f007331d2a3c78b1a7e96f37f79|SHA1=a6a71fb4f91080aff2a3a42811b4bd86fb22168d|SHA1=a0c7c913d7b5724a46581b6e00dd72c26c37794d|SHA1=6f8b0e1c7d7bd7beed853e0d51ca03f143e5b703|SHA1=91ee32b464f6385fc8c44b867ca3dec665cbe886|SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd|SHA1=75dd52e28c40cd22e38ae2a74b52eb0cddfcb2c4|SHA1=14bf0eaa90e012169745b3e30c281a327751e316|SHA1=f9cced7ccdc1f149ad8ad13a264c4425aee89b8e|SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417|SHA1=e4e40032376279e29487afc18527804dce792883|SHA1=bebf97411946749b9050989d9c40352dbe8269ea|SHA1=cfcecf6207d16aeb0af29aac8a4a2f104483018e|SHA1=b21cba198d721737aabd882ada6c91295a5975ed|SHA1=8f540936f2484d020e270e41529624407b7e107e|SHA1=32888d789edc91095da2e0a5d6c564c2aebcee68|SHA1=10fc6933deb7de9813e07d864ce03334a4f489d9|SHA1=09d3ff3c57f5154735e676f2c0a10b5e51336bb3|SHA1=d022f5e3c1bba43871af254a16ab0e378ea66184|SHA1=6c445ceb38d5b1212ce2e7498888dd9562a57875|SHA1=cf9b4d606467108e4b845ecb8ede2f5865bd6c33|SHA1=c4ce0bb8a939c4f4cff955d9b3cdd9eb52746cc9|SHA1=8325e8d7fd2edc126dcf1089dee8da64e79fb12e|SHA1=2bb68b195f66f53f90f17b364928929d5b2883b5|SHA1=d3a6f86245212e1ef9e0e906818027ec14a239cb|SHA1=5672e2212c3b427c1aef83fcd725b587a3d3f979|SHA1=7cee31d3aaee8771c872626feedeeb5d09db008c|SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2|SHA1=4f0d9122f57f4f8df41f3c3950359eb1284b9ab5|SHA1=59c4960851af9240dded4173c4f823727af19512|SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d|SHA1=9393698058ce1187eb87e8c148cfe4804761142d|SHA1=ed219d966a6e74275895cc0b975b79397760ea9f|SHA1=4dba2ac32ed58ead57dd36b18d1cb30cc1c7b9aa|SHA1=d2be76e79741454b4611675b58446e10fc3d0c6c|SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f|SHA1=6b54b8f7edca5fb25a8ef1a1d31e14b9738db579|SHA1=52d9bbe41eea0b60507c469f7810d80343c03c2b|SHA1=f7330a6a4d9df2f35ab93a28c8ee1eb14a74be6e|SHA1=589a7d4df869395601ba7538a65afae8c4616385|SHA1=61d44c9a1ef992bc29502f725d1672d551b9bc3f|SHA1=da689e8e0e3fc4c7114b44d185eef4c768e15946|SHA1=170a50139f95ad1ec94d51fdd94c1966dbed0e47|SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d|SHA1=bfff0073c936b9a7e2ad6848deb6f9bf03205488|SHA1=1586f121d38cc42e5d04fe2f56091e91c6cdd8fa|SHA1=96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11|SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436|SHA1=4d4535c111c7b568cb8a3bece27a97d738512a6b|SHA1=258f1cdc79bd20c2e6630a0865abfe60473b98d5|SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8|SHA1=2c2fc258871499b206963c0f933583cedcdf9ea2|SHA1=6a2912c8e2aa4373852585bc1134b83c637bc9fd|SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f|SHA1=1951ae94c6ee63fa801208771b5784f021c70c60|SHA1=8b53284fb23d34ca144544b19f8fba63700830d8|SHA1=6bfeac43be3ebd8d95a5eba963e18d97d76d2b05|SHA1=2ae1456bb0fa5a016954b03967878fb6db4d81eb|SHA1=63f9ee1e7aefd961cf36eeffd455977f1b940f6c|SHA1=ac13941f436139b909d105ad55637e1308f49d9a|SHA1=baa94f0f816d7a41a63e7f1aa9dd3d64a9450ed0|SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65|SHA1=bff4c3696d81002c56f473a8ab353ef0e45854c0|SHA1=64df813dc0774ef57d21141dcb38d08059fd8660|SHA1=bdfb1a2b08d823009c912808425b357d22480ecc|SHA1=470633a3a1e1b1f13c3f6c5192ce881efd206d7c|SHA1=65f6a4a23846277914d90ba6c12742eecf1be22d|SHA1=ed40c1f7da98634869b415530e250f4a665a8c48|SHA1=1ab702c495cb7832d4cc1ff896277fa56ed8f30d|SHA1=684786de4b3b3f53816eae9df5f943a22c89601f|SHA1=b3b523504af5228c49060ec8dea9f8adce05e117|SHA1=108575d8f0b98fed29514a54052f7bf5a8cb3ff0|SHA1=8fafd70bae94bbc22786c9328ee9126fed54dbae|SHA1=d3b23a0b70d6d279abd8db109f08a8b0721ce327|SHA1=190ec384e6eb1dafca80df05055ead620b2502ba|SHA1=6b25acbcb41a593aca6314885572fc22d16582a2|SHA1=341225961c15a969c62de38b4ec1938f65fda178|SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326|SHA1=5812387783d61c6ab5702213bb968590a18065e3|SHA1=e700fcfae0582275dbaee740f4f44b081703d20d|SHA1=a2167b723dfb24bf8565cbe2de0ecce77307fb9e|SHA1=7cf7644e38746c9be4537b395285888d5572ae1b|SHA1=3b8ddf860861cc4040dea2d2d09f80582547d105|SHA1=1a17cc64e47d3db7085a4dc365049a2d4552dc8a|SHA1=9b3f57693f0f69d3729762d59a10439e738b9031|SHA1=63bb17160115f16b3fca1f028b13033af4e468c6|SHA1=631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8|SHA1=06ec56736c2fc070066079bb628c17b089b58f6c|SHA1=d1ba4c95697a25ec265a3908acbff269e29e760c|SHA1=e40182c106f6f09fd79494686329b95477d6beb5|SHA1=c74f6293be68533995e4b95469e6dddedd1c3905|SHA1=ec457a53ea03287cbbd1edcd5f27835a518ef144|SHA1=1a01f3bdbfae4f8111674068a001aaf3363f21ea|SHA1=ce1d0ebaeaa4fe3ecb49242f1e80bc7a4e43fd8c|SHA1=f77413ec3bd9ed3f31fc53a4c755dc4123e0068f|SHA1=17614fdee3b89272e99758983b99111cbb1b312c|SHA1=8b63eb0f5dbb844ee5f6682f0badef872ae569bf|SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60|SHA1=c8674fe95460a37819e06d9df304254931033ca7|SHA1=273634ac170d1a6abd32e0db597376a6f62eb59e|SHA1=dd4cd182192b43d4105786ba87f55a036ec45ef2|SHA1=f9eb4c942a89b4ba39d2bdbfd23716937ccb9925|SHA1=94144619920bd086028bb5647b1649a35438028c|SHA1=2871a631f36cd1ea2fd268036087d28070ef2c52|SHA1=57cf65b024d9e2831729def42db2362d7c90dcfa|SHA1=d3daa971580b9f94002f7257de44fcef13bb1673|SHA1=8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb|SHA1=756fd2b82bf92538786b1bd283c6ef2f9794761e|SHA1=c775ca665ed4858acc3f7e75e025cbbda1f8c687|SHA1=a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae|SHA1=085c0ea6980cb93a3afa076764b7866467ac987c|SHA1=09f117d83f2f206ee37f1eb19eea576a0ac9bdcc|SHA1=c41ff2067634a1cce6b8ec657cdfd87e7f6974e3|SHA1=ddec18909571a9d5992f93636628756b7aa9b9a2|SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2|SHA1=06ec62c590ca0f1f2575300c151c84640d2523c0|SHA1=f95b59cab63408343ecbdb0e71db34e83f75b503|SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a|SHA1=9360774a37906e3b3c9fab39721cb9400dd31c46|SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131|SHA1=dc393d30453daa1f853f47797e48c142ac77a37b|SHA1=b70321d078f2e9c9826303bdc87ba9b7be290807|SHA1=4cd5bf02edf6883a08dfed7702267612e21ed56e|SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1|SHA1=296757d5663290f172e99e60b9059f989cba4c4e|SHA1=0caf4e86b14aaab7e10815389fcd635988bc6637|SHA1=449ff4f5ce2fdddac05a6c82e45a7e802b1c1305|SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce|SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab|SHA1=4818d7517054d5cba38b679bdf7f8495fd152729|SHA1=47df454cb030c1f4f7002d46b1308a32b03148e7|SHA1=28fa0e9429af24197134306b6c7189263e939136|SHA1=186b6523e8e2fa121d6d3b8cb106e9a5b918af4f|SHA1=9dbd255ee29be0e552f7f5f30d6ffb97e6cd0b0d|SHA1=76a756cc61653abcadd63db4a74c48d92607a861|SHA1=15df139494d2c40a645fb010908551185c27f3c5|SHA1=64879accdb4dbbaac55d91185c82f2b193f0c869|SHA1=55777e18eb95b6c9c3e6df903f0ac36056fa83da|SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5|SHA1=135b261eb03e830c57b1729e3a4653f9c27c7522|SHA1=deaf7d0c934cc428981ffa5bf528ca920bc692dc|SHA1=309a799f1a00868ab05cdbb851b3297db34d9b0d|SHA1=d5beca70469e0dcb099ba35979155e7c91876fd2|SHA1=376d59d0b19905ebb9b89913a5bdfacde1bd5a1e|SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2|SHA1=dfd801b6c2715f5525f8ffb38e3396a5ad9b831d|SHA1=92befb8b3d17bd3f510d09d464ec0131f8a43b8f|SHA1=b671677079bf7c660579bee08b8875a48ff61896|SHA1=0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c|SHA1=bca4bbe4388ebeb834688e97fac281c09b0f3ac1|SHA1=0b3836d5d98bc8862a380aae19caa3e77a2d93ef|SHA1=b394f84e093cb144568e18aaf5b857dff77091fa|SHA1=7329bb4a7ca98556fa6b05bd4f9b236186e845d1|SHA1=0307d76750dd98d707c699aee3b626643afb6936|SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a|SHA1=2740cd167a9ccb81c8e8719ce0d2ae31babc631c|SHA1=77a011b5d5d5aaf421a543fcee22cb7979807c60|SHA1=a197a02025946aca96d6e74746f84774df31249e|SHA1=82ba5513c33e056c3f54152c8555abf555f3e745|SHA1=c71597c89bd8e937886e3390bc8ac4f17cdeae7c|SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2|SHA1=e71caa502d0fe3a7383ce26285a6022e63acda97|SHA1=446130c61555e5c9224197963d32e108cd899ea0|SHA1=218e4bbdd5ce810c48b938307d01501c442b75f4|SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de|SHA1=0cb14c1049c0e81c8655ab7ee7d698c11758ea06|SHA1=f3c20ce4282587c920e9ff5da2150fac7858172e|SHA1=dd49a71f158c879fb8d607cc558b507c7c8bc5b9|SHA1=7d34bb240cb5dec51ffcc7bf062c8d613819ac30|SHA1=0b01c4c1f18d72eb622be2553114f32edfe7b7aa|SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b|SHA1=4186ac693003f92fdf1efbd27fb8f6473a7cc53e|SHA1=01b95ae502aa09aabc69a0482fcc8198f7765950|SHA1=4c18754dca481f107f0923fb8ef5e149d128525d|SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda|SHA1=c614ab686e844c7a7d2b20bc7061ab15290e2cfd|SHA1=2cf75df00c69d907cfe683cb25077015d05be65d|SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6|SHA1=a528cdeed550844ca7d31c9e231a700b4185d0da|SHA1=8ec28d7da81cf202f03761842738d740c0bb2fed|SHA1=e606282505af817698206672db632332e8c3d3ff|SHA1=47830d6d3ee2d2a643abf46a72738d77f14114bc|SHA1=57ea07ab767f11c81c6468b1f8a3d5f4618b800b|SHA1=34b0f1b2038a1572ee6381022a24333357b033c4|SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697|SHA1=a14d96b65d3968181d57b57ee60c533cb621b707|SHA1=cd248648eafca6ef77c1b76237a6482f449f13be|SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08|SHA1=64ff172bafc33f14ca5f2e35f9753d41e239a5e4|SHA1=74bf2ec32cb881424a79e99709071870148d242d|SHA1=943593e880b4d340f2548548e6e673ef6f61eed3|SHA1=3c81cdfd99d91c7c9de7921607be12233ed0dfd8|SHA1=c1a5aacf05c00080e04d692a99c46ab445bf8b6e|SHA1=1768fb2b4796f624fa52b95dfdfbfb922ac21019|SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d|SHA1=6df6d5b30d04b9adb9d2c99de18ed108b011d52b|SHA1=8589a284f1a087ad5b548fb1a933289781b4cedc|SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c|SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0|SHA1=f5bafebfbfb67a022452870289ac7849e9ee1f61|SHA1=5965ca5462cd9f24c67a1a1c4ef277fab8ea81d3|SHA1=804013a12f2f6ba2e55c4542cbdc50ca01761905|SHA1=30c6e1da8745c3d53df696af407ef095a8398273|SHA1=2fed7eddd63f10ed4649d9425b94f86140f91385|SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d|SHA1=5ce273aa80ed3b0394e593a999059096682736ae|SHA1=36397c6879978223ba52acd97da99e8067ab7f05|SHA1=8a23735d9a143ad526bf73c6553e36e8a8d2e561|SHA1=2f991435a6f58e25c103a657d24ed892b99690b8|SHA1=f2ce790bf47b01a7e1ef5291d8fa341d5f66883a|SHA1=f52c2d897fa00910d5566503dd5a297970f13dc6|SHA1=256d285347acd715ed8920e41e5ec928ae9201a8|SHA1=58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c|SHA1=55d84fd3e5db4bdbd3fb6c56a84b6b8a320c7c58|SHA1=a71c17bfeefd76a9f89e74a52a2b6fdd3efbabe2|SHA1=83b5e60943a92050fccb8acef7aa464c8f81d38e|SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67|SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5|SHA1=9db1585c0fab6a9feb411c39267ac4ad29171696|SHA1=2eddb10eecef740ec2f9158fa39410ec32262fc3|SHA1=ad60e40a148accec0950d8d13bf7182c2bd5dfef|SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347|SHA1=5a7bcb1864d1e8ecde0b58d21b98518ca4b2f1f2|SHA1=d6de8983dbd9c4c83f514f4edf1ac7be7f68632f|SHA1=07f60b2b0e56cb15aad3ca8a96d9fe3a91491329|SHA1=6b90a6eeef66bb9302665081e30bf9802ca956cc|SHA1=634b1e9d0aafac1ec4373291cefb52c121e8d265|SHA1=af50109b112995f8c82be8ef3a88be404510cdde|SHA1=ec04d8c814f6884c009a7b51c452e73895794e64|SHA1=fdf4a0af89f0c8276ad6d540c75beece380703ab|SHA1=76046978d8e4409e53d8126a8dcfc3bf8602c37f|SHA1=13df48ab4cd412651b2604829ce9b61d39a791bb|SHA1=cb25d537f4e2872e5fcbd893da8ce3807137df80|SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256|SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3|SHA1=c1fe7870e202733123715cacae9b02c29494d94d|SHA1=9c256edd10823ca76c0443a330e523027b70522d|SHA1=079627e0f5b1ad1fb3fe64038a09bc6e8b8d289d|SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b|SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb|SHA1=3f338ab65bac9550b8749bb1208edb0f7d7bcb81|SHA1=723fd9dd0957403ed131c72340e1996648f77a48|SHA1=e0d83953a9efef81ba0fa9de1e3446b6f0a23cc6|SHA1=1d5d2c5853619c25518ba0c55fd7477050e708fb|SHA1=838823f25436cadc9a145ddac076dce3e0b84d96|SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4|SHA1=363068731e87bcee19ad5cb802e14f9248465d31|SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4|SHA1=0d8a832b9383fcdc23e83487b188ddd30963ca82|SHA1=db6170ee2ee0a3292deceb2fc88ef26d938ebf2d|SHA1=a9ea84ee976c66977bb7497aa374bba4f0dd2b27|SHA1=7859e75580570e23a1ef7208b9a76f81738043d5|SHA1=e067024ec42b556fb1e89ca52ef6719aa09cdf89|SHA1=0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc|SHA1=54a4772212da2025bd8fb2dc913e1c4490e7a0cd|SHA1=68ca9c27131aa35c7f433dc914da74f4b3d8793f|SHA1=468e2e5505a3d924b14fedee4ddf240d09393776|SHA1=cc3e5e45aca5b670035dfb008f0a88cecfd91cf7|SHA1=8d676504c2680cf71c0c91afb18af40ea83b6c22|SHA1=ba5b4eaa7cab012b71a8a973899eeee47a12becc|SHA1=1901467b6f04a93b35d3ca0727c8a14f3ce3ed52|SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c|SHA1=116679c4b2cca6ec69453309d9d85d3793cbe05f|SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e|SHA1=e702221d059b86d49ed11395adffa82ef32a1bce|SHA1=dd085542683898a680311a0d1095ea2dffe865e2|SHA1=69849d68d1857c83b09e1956a46fe879260d2aab|SHA1=a23a0627297a71a4414193e12a8c074e7bbb8a2e|SHA1=91530e1e1fb25a26f3e0d6587200ddbaecb45c74|SHA1=247065af09fc6fd56b07d3f5c26f555a5ccbfda4|SHA1=e840904ce12cc2f94eb1ec16b0b89e2822c24805|SHA1=e5bfb18f63fcfb7dc09b0292602112ea7837ef7a|SHA1=dc6e62dbde5869a6adc92253fff6326b6af5c8d4|SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb|SHA1=40dba13a059679401fcaf7d4dbe80db03c9d265c|SHA1=acb5d7e182a108ee02c5cb879fc94e0d6db7dd68|SHA1=543933cce83f2e75d1b6a8abdb41199ddef8406c|SHA1=0f2fdfb249c260c892334e62ab77ac88fcb8b5e4|SHA1=81a319685d0b6112edee4bc25d14d6236f4e12da|SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26|SHA1=488b20ed53c2060c41b9a0cac1efb39a888df7c5|SHA1=e1069365cb580e3525090f2fa28efd4127223588|SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7|SHA1=67dfd415c729705396ce54166bd70faf09ac7f10|SHA1=c8ec23066a50800d42913d5e439700c5cd6a2287|SHA1=07f62d9b6321bed0008e106e9ce4240cb3f76da2|SHA1=a57eefa0c653b49bd60b6f46d7c441a78063b682|SHA1=a4ae87b7802c82dfb6a4d26ab52788410af98532|SHA1=bc949bc040333fdc9140b897b0066ef125343ef6|SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75|SHA1=6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92|SHA1=a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2|SHA1=51b60eaa228458dee605430aae1bc26f3fc62325|SHA1=054a50293c7b4eea064c91ef59cf120d8100f237|SHA1=844d2345bde50bf8ee7e86117cf7b8c6e6f00be4|SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3|SHA1=d0452363b41385f6a6778f970f3744dde4701d8f|SHA1=d72de7e8f0118153dd5cf784f724e725865fc523|SHA1=340ce5d8859f923222bea5917f40c4259cce1bbc|SHA1=e1bf5dd17f84bce3b2891dffa855d81a21914418|SHA1=e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8|SHA1=0e1df95042081fa2408782f14ce483f0db19d5ab|SHA1=d2fb46277c36498e87d0f47415b7980440d40e3d|SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463|SHA1=4a887ae6b773000864f9228800aab75e6ff34240|SHA1=283c7dc5b029dbc41027df16716ec12761a53df8|SHA1=dcdc9b2bc8e79d44846086d0d482cb7c589f09b8|SHA1=ec8c0b2f49756b8784b3523e70cd8821b05b95eb|SHA1=16c6bcef489f190a48e9d3b1f35972db89516479|SHA1=ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c|SHA1=7c625de858710d3673f6cb0cd8d0643d5422c688|SHA1=faa61346430aedc952d820f7b16b973c9bf133c3|SHA1=1e959d6ae22c4d9fa5613c3a9d3b6e1b472be05d|SHA1=f18e669127c041431cde8f2d03b15cfc20696056|SHA1=1de9f25d189faa294468517b15947a523538ce9d|SHA1=d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793|SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a|SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2|SHA1=4786253daac6c60ffc0d2871fdd68023ec93dfb3|SHA1=ea58d72db03df85b04d1412a9b90d88ba68ab43d|SHA1=48a09ca5fdbc214e675083c2259e051b0629457b|SHA1=ea63567ea8d168cb6e9aae705b80a09f927b2f77|SHA1=8347487b32b993da87275e3d44ff3683c8130d33|SHA1=4471935df0e68fe149425703b66f1efca3d82168|SHA1=eaddeefe13bca118369faf95eee85b0a2a553221|SHA1=98600e919b8579d89e232a253d7277355b652750|SHA1=444a2b778e2fc26067c49dde0aff0dcfb85f2b64|SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741|SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0|SHA1=6210dabb908cc750379cc7563beb884b3895e046|SHA1=22c08d67bf687bf7ddd57056e274cbbbdb647561|SHA1=1a8b737dff81aa9e338b1fce0dc96ee7ee467bd5|SHA1=a9b8d7afa2e4685280aebbeb162600cfce4e48c8|SHA1=8800a33a37c640922ce6a2996cd822ed4603b8bb|SHA1=4f94789cffb23c301f93d6913b594748684abf6a|SHA1=511b06898770337609ee065547dbf14ce3de5a95|SHA1=c32e6cddc7731408c747fd47af3d62861719fd7b|SHA1=a93197c8c1897a95c4fb0367d7451019ae9f3054|SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb|SHA1=a59006308c4b5d33bb8f34ac6fb16701814fb8dc|SHA1=3e917f0986802d47c0ffe4d6f5944998987c4160|SHA1=b406920634361f4b7d7c1ec3b11bb40872d85105|SHA1=9ec6f54c74bcc48e355226c26513a7240fd9462d|SHA1=79f1a6f5486523e6d8dcfef696bc949fc767613d|SHA1=dce4322406004fc884d91ed9a88a36daca7ae19a|SHA1=dbe26c67a4cabba16d339a1b256ca008effcf6c8|SHA1=9f5453c36aa03760d935e062ac9e1f548d14e894|SHA1=da361c56c18ea98e1c442aac7c322ff20f64486b|SHA1=14c9cd9e2cf2b0aae56c46ff9ad1c89a8a980050|SHA1=21e6c104fe9731c874fab5c9560c929b2857b918|SHA1=ef80da613442047697bec35ea228cde477c09a3d|SHA1=c834c4931b074665d56ccab437dfcc326649d612|SHA1=aa2ea973bb248b18973e57339307cfb8d309f687|SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614|SHA1=977fd907b6a2509019d8ef4f6213039f2523f2b5|SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f|SHA1=a45687965357036df17b8ff380e3a43a8fbb2ca9|SHA1=59aead65b240a163ad47b2d1cf33cdb330608317|SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f|SHA1=ddd36f96f5a509855f55eed9eb4cba9758d6339a|SHA1=a838303cda908530ef124f8d6f7fb69938b613bc|SHA1=84d44e166072bccf1f8e1e9eb51880ffa065a274|SHA1=88d00eff21221f95a0307da229bc9fe1afb6861b|SHA1=9ca90642cff9ca71c7022c0f9dfd87da2b6a0bff|SHA1=a98734cd388f5b4b3caca5ce61cb03b05a8ad570|SHA1=bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0|SHA1=ce5681896e7631b6e83cccb7aa056a33e72a1bbe|SHA1=0634878c3f6048a38ec82869d7c6df2f69f3e210|SHA1=eacfc73f5f45f229867ee8b2eb1f9649b5dd422e|SHA1=dc8fa4648c674e3a7148dd8e8c35f668a3701a52|SHA1=02316decf9e5165b431c599643f6856e86b95e7c|SHA1=cc3186debacb98e0b0fb40ad82816bea10741099|SHA1=87f313fc30ec8759b391e9d6c08f79b02f3ecebd|SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e|SHA1=62fdb0b43c56530a6a0ba434037d131f236d1266|SHA1=5088c71a740ef7c4156dcaa31e543052fe226e1c|SHA1=64d0447cbb0d6a45010b94eb9d5b0b90296edcbf|SHA1=0aecdc0b8208b81b0c37eef3b0eaea8d8ebef42e|SHA1=2fe874274bac6842819c1e9fe9477e6d5240944d|SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd|SHA1=ba0938512d7abab23a72279b914d0ea0fb46e498|SHA1=3d8cc9123be74b31c597b0014c2a72090f0c44ef|SHA1=1f1ce28c10453acbc9d3844b4604c59c0ab0ad46|SHA1=724dde837df2ff92b3ea7026fe8a0c4e5773898f|SHA1=8ab7e9ba3c26bcd5d6d0646c6d2b2693e22aac1c|SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332|SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9|SHA1=bea745b598dd957924d3465ebc04c5b830d5724f|SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3|SHA1=99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4|SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d|SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8|SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2|SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809|SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299|SHA1=43f53a739eda1e58f470e8e9ff9aa1437e5d9546|SHA1=879e92a7427bdbcc051a18bbb3727ac68154e825|SHA1=be270d94744b62b0d36bef905ef6296165ffcee9|SHA1=108439a4c4508e8dca659905128a4633d8851fd9|SHA1=fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1|SHA1=343ec3073fc84968e40a145dc9260a403966bcb4|SHA1=0d9c77aca860a43cca87a0c00f69e2ab07ab0b67|SHA1=c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab|SHA1=bd3e1d5aacac6406a7bcea3b471bbfa863efbc3d|SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe|SHA1=53a194e1a30ed9b2d3acd87c2752cfa6645eea76|SHA1=06ecf73790f0277b8e27c8138e2c9ad0fc876438|SHA1=a22c111045b4358f8279190e50851c443534fc24|SHA1=d2c7aa9b424015f970fe7506ae5d1c69a8ac11f6|SHA1=2eeab9786dac3f5f69e642f6e29f4e4819038551|SHA1=8ea50d7d13ff2d1306fed30a2d136dd6245eb3bc|SHA1=490109fa6739f114651f4199196c5121d1c6bdf2|SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef|SHA1=66e95daee3d1244a029d7f3d91915f1f233d1916|SHA1=175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a|SHA1=0536c9f15094ca8ddeef6dec75d93dc35366d8a9|SHA1=65886384708d5a6c86f3c4c16a7e7cdbf68de92a|SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4|SHA1=25d812a5ece19ea375178ef9d60415841087726e|SHA1=24b47ba7179755e3b12a59d55ae6b2c3d2bd1505|SHA1=a547c5b1543a4c3a4f91208d377a2b513088f4a4|SHA1=604870e76e55078dfb8055d49ae8565ed6177f7c|SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc|SHA1=962e2ac84c28ed5e373d4d4ccb434eceee011974|SHA1=94b014123412fbe8709b58ec72594f8053037ae9|SHA1=c969f1f73922fd95db1992a5b552fbc488366a40|SHA1=6dac7a8fa9589caae0db9d6775361d26011c80b2|SHA1=cd7b0c6b6ef809e7fb1f68ba36150eceabe500f7|SHA1=1d2ab091d5c0b6e5977f7fa5c4a7bfb8ea302dc7|SHA1=729a8675665c61824f22f06c7b954be4d14b52c4|SHA1=814200191551faec65b21f5f6819b46c8fc227a3|SHA1=59c0fa0d61576d9eb839c9c7e15d57047ee7fe29|SHA1=48be0ec2e8cb90cac2be49ef71e44390a0f648ce|SHA1=0e030cf5e5996f0778452567e144f75936dc278f|SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee|SHA1=6cc28df318a9420b49a252d6e8aaeda0330dc67d|SHA1=59e6effdb23644ca03e60618095dc172a28f846e|SHA1=df177a0c8c1113449f008f8e833105344b419834|SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4|SHA1=c0a8e45e57bb6d82524417d6fb7e955ab95621c0|SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8|SHA1=363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8|SHA1=53f7a84a8cebe0e3f84894c6b9119466d1a8ddaf|SHA1=7ee65bedaf7967c752831c83e26540e65358175e|SHA1=e525f54b762c10703c975132e8fc21b6cd88d39b|SHA1=3a1f19b7a269723e244756dac1fc27c793276fe7|SHA1=d6b61c685cfaa36c85f1672ac95844f8293c70d0|SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946|SHA1=96523f72e4283f9816d3da8f2270690dd1dd263e|SHA1=5db61d00a001fd493591dc919f69b14713889fc5|SHA1=b3c111d7192cfa8824e5c9b7c0660c37978025d6|SHA1=49b1e6a922a8d2cb2101c48155dfc08c17d09341|SHA1=282fca60f0c37eb6d76400bca24567945e43c6d8|SHA1=2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8|SHA1=4692730f6b56eeb0399460c72ade8a15ddd43a62|SHA1=fe10018af723986db50701c8532df5ed98b17c39|SHA1=b34fc245d561905c06a8058753d25244aaecbb61|SHA1=2ade3347df84d6707f39d9b821890440bcfdb5e9|SHA1=5e9538d76b75f87f94ca5409ae3ddc363e8aba7f|SHA1=5a69d921926ef0abf03757edf22c0d8d30c15d4b|SHA1=986c1fdfe7c9731f4de15680a475a72cf2245121|SHA1=42eb220fdfb76c6e0649a3e36acccbdf36e287f1|SHA1=7192e22e0f8343058ec29fb7b8065e09ce389a5b|SHA1=b2b01c728e0e8ef7b2e9040d6db9828bd4a5b48d|SHA1=b99a5396094b6b20cea72fbf0c0083030155f74e|SHA1=628e63caf72c29042e162f5f7570105d2108e3c2|SHA1=1fb12c5db2acad8849677e97d7ce860d2bb2329e|SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13|SHA1=46be4e6cd8117ac13531bff30edcf564f39bcc52|SHA1=377f7e7382908690189aede31fcdd532baa186b5|SHA1=5b4619596c89ed17ccbe92fd5c0a823033f2f1e1|SHA1=bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c|SHA1=ca33c88cd74e00ece898dca32a24bdfcacc3f756|SHA1=7d1ff4096a75f9fcc67c7c9c810d99874c096b6b|SHA1=1a83c8b63d675c940aaec10f70c0c7698e9b0165|SHA1=f8e88630dae53e0b54edefdefa36d96c3dcbd776|SHA1=e33eac9d3b9b5c0db3db096332f059bf315a2343|SHA1=5635bb2478929010693bc3b23f8b7fe5fdbc3aed|SHA1=3fd7fda9c7dfdb2a845c39971572bd090bee3b1d|SHA1=3e790c4e893513566916c76a677b0f98bd7334dd|SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939|SHA1=5ca6a52230507b1dffab7acd501540bc10f1ab81|SHA1=820d339fd3dbb632a790d6506ddf6aee925fcffe|SHA1=0ac0c21ca05161eaa6a042f347391a2a2fc78c96|SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe|SHA1=4f077a95908b154ea12faa95de711cb44359c162|SHA1=29a190727140f40cea9514a6420f5a195e36386b|SHA1=dbf3abdc85d6a0801c4af4cd1b77c44d5f57b03e|SHA1=de0c16e3812924212f04e15caa09763ae4770403|SHA1=3b1f1e96fc8a7eb93b14b1213f797f164a313cee|SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d|SHA1=4c021c4a5592c07d4d415ab11b23a70ba419174b|SHA1=9d191bee98f0af4969a26113098e3ea85483ae2d|SHA1=ac31d15851c0af14d60cfce23f00c4b7887d3cb7|SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac|SHA1=5f8ae70b25b664433c6942d5963acadf2042cfe8|SHA1=a37616f0575a683bd81a0f49fadbbc87e1525eba|SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53|SHA1=c22c28a32a5e43a76514faf4fac14d135e0d4ffd|SHA1=7c996d9ef7e47a3b197ff69798333dc29a04cc8a|SHA1=cb0bc86d437ab78c1fbefdaf1af965522ebdd65d|SHA1=4a1a499857accc04b4d586df3f0e0c2b3546e825|SHA1=c3a893680cd33706546a7a3e8fbcc4bd063ce07e|SHA1=df58f9b193c6916aaec7606c0de5eba70c8ec665|SHA1=fc69138b9365fa60e21243369940c8dcfcca5db1|SHA1=3fbe337b6ed1a1a63ae8b4240c01bd68ed531674|SHA1=07c244739803f60a75d60347c17edc02d5d10b5d|SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1|SHA1=6e191d72b980c8f08a0f60efa01f0b5bf3b34afb|SHA1=d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9|SHA1=5cfec6aa4842e5bafff23937f5efca71f21cf7ca|SHA1=def86c7dee1f788c717ac1917f1b5bbfada25a95|SHA1=c22dc62e10378191840285814838fe9ed1af55d7|SHA1=58b31fb2b623bd2c5d5c8c49b657a14a674664a4|SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77|SHA1=b62c5bae9c6541620379115a7ba0036ecfa19537|SHA1=585df373a9c56072ab6074afee8f1ec3778d70f8|SHA1=64ab599d34c26f53afe076a84c54db7ba1a53def|SHA1=f130e82524d8f5af403c3b0e0ffa4b64fedeec92|SHA1=bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6|SHA1=5499f1bca93a3613428e8c18ac93a93b9a7249fb|SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181|SHA1=2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28|SHA1=1da0c712ff42bd9112ac6afadb7c4d3ae2f20fb7|SHA1=ef8de780cfe839ecf6dc0dc161ae645bff9b853c|SHA1=feb8e6e7419713a2993c48b9758c039bd322b699|SHA1=d9b05c5ffc5eddf65186ba802bb1ece0249cab05|SHA1=08596732304351b311970ff96b21f451f23b1e25|SHA1=687b8962febbbea4cf6b3c11181fd76acb7dfd5a|SHA1=9d0b824892fbfb0b943911326f95cd0264c60f7d|SHA1=2ed4b51429b0a3303a645effc84022512f829836|SHA1=1a40773dc430d7cb102710812b8c61fc51dfb79b|SHA1=4f7a8e26a97980544be634b26899afbefb0a833c|SHA1=983a8d4b1cb68140740a7680f929d493463e32e3|SHA1=c4b6e2351a72311a6e8f71186b218951a27fb97f|SHA1=6b090c558b877b6abb0d1051610cadbc6335ecbb|SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2|SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705|SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e|SHA1=27aa3f1b4baccd70d95ea75a0a3e54e735728aa2|SHA1=005ac9213a8a4a6c421787a7b25c0bc7b9f3b309|SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162|SHA1=c1777fcb7005b707f8c86b2370f3278a8ccd729f|SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b|SHA1=cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c|SHA1=0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0|SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c|SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb|SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a|SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af|SHA1=19bf65bdd9d77f54f1e8ccf189dc114e752344b0|SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15|SHA1=9f22ebcd2915471e7526f30aa53c24b557a689f5|SHA1=562368c390b0dadf2356b8b3c747357ecef2dfc8|SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d|SHA1=03a56369b8b143049a6ec9f6cc4ef91ac2775863|SHA1=82034032b30bbb78d634d6f52c7d7770a73b1b3c|SHA1=3059bc49e027a79ff61f0147edbc5cd56ad5fc2d|SHA1=af5f642b105d86f82ba6d5e7a55d6404bfb50875|SHA1=f86ae53eb61d3c7c316effe86395a4c0376b06db|SHA1=3fd55927d5997d33f5449e9a355eb5c0452e0de3|SHA1=d942dac4033dcd681161181d50ce3661d1e12b96|SHA1=dd55015f5406f0051853fd7cca3ab0406b5a2d52|SHA1=336ed563ef96c40eece92a4d13de9f9b69991c8a|SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a|SHA1=ada23b709cb2bef8bedd612dc345db2e2fdbfaca|SHA1=bd421ffdcc074ecca954d9b2c2fbce9301e9a36c|SHA1=42f6bfcf558ef6da9254ed263a89abf4e909b5d5|SHA1=9eef72e0c4d5055f6ae5fe49f7f812de29afbf37|SHA1=007b2c7d72a5a89b424095dbb7f67ff2aeddb277|SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35|SHA1=35a817d949b2eab012506bed0a3b4628dd884471|SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c|SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03|SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6|SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260|SHA1=34ec04159d2c653a583a73285e6e2ac3c7b416dd|SHA1=4f30f64b5dfcdc889f4a5e25b039c93dd8551c71|SHA1=13572d36428ef32cfed3af7a8bb011ee756302b0|SHA1=17d28a90ef4d3dbb083371f99943ff938f3b39f6|SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77|SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea|SHA1=c8a4a64b412fd8ef079661db4a4a7cd7394514ca|SHA1=24343ec4dfec11796a8800a3059b630e8be89070|SHA1=a55b709cec2288384b12eafa8be4930e7c075ec9|SHA1=5853e44ea0b6b4e9844651aa57d631193c1ed0f0|SHA1=e3266b046d278194ade4d8f677772d0cb4ecfaf1|SHA1=717669a1e2380cb61cc4e34618e118cc9cabbcd0|SHA1=0adc1320421f02f2324e764aa344018758514436|SHA1=7e900b0370a1d3cb8a3ea5394d7d094f95ec5dc0|SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59|SHA1=68b97bfaf61294743ba15ef36357cdb8e963b56e|SHA1=e0d12e44db3f57ee7ea723683a6fd346dacf2e3e|SHA1=31529d0e73f7fbfbe8c28367466c404c0e3e1d5a|SHA1=04967bfd248d30183992c6c9fd2d9e07ae8d68ad|SHA1=4d14d25b540bf8623d09c06107b8ca7bb7625c30|SHA1=01779ee53f999464465ed690d823d160f73f10e7|SHA1=e83fc2331ae1ea792b6cff7e970f607fee7346be|SHA1=c8864c0c66ea45011c1c4e79328a3a1acf7e84a9|SHA1=a92207062fb72e6e173b2ffdb12c76834455f5d3|SHA1=6e58421e37c022410455b1c7b01f1e3c949df1cd|SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b|SHA1=4885cd221fa1ea330b9e4c1702be955d68bd3f6a|SHA1=f7413250e7e8ad83c350092d78f0f75fcca9f474|SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8|SHA1=970af806aa5e9a57d42298ab5ffa6e0d0e46deda|SHA1=fe02ae340dc7fe08e4ad26dab9de418924e21603|SHA1=85941b94524da181be8aad290127aa18fc71895c|SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d|SHA1=9cc694dcb532e94554a2a1ef7c6ced3e2f86ef5a|SHA1=398e8209e5c5fdcb6c287c5f9561e91887caca7d|SHA1=4e56e0b1d12664c05615c69697a2f5c5d893058a|SHA1=ee877b496777763e853dd81fefd0924509bc5be0|SHA1=3f347117d21cd8229dd99fa03d6c92601067c604|SHA1=61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799|SHA1=7ce978092fadbef44441a5f8dcb434df2464f193|SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748|SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b|SHA1=91d026cd98de124d281fd6a8e7c54ddf6b913804|SHA1=db006fa522142a197686c01116a6cf60e0001ef7|SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57|SHA1=089411e052ea17d66033155f77ae683c50147018|SHA1=263181bc8c2c6af06b9a06d994e4b651c3ab1849|SHA1=30e7258a5816a6db19cdda2b2603a8c3276f05c2|SHA1=96047b280e0d6ddde9df1c79ca5f561219a0370d|SHA1=c6bd965300f07012d1b651a9b8776028c45b149a|SHA1=4c6ec22bc10947d089167b19d83a26bdd69f0dd1|SHA1=ccd547ef957189eddb6ee213e5e0136e980186f9|SHA1=8d3be83cf3bb36dbce974654b5330adb38792c2d|SHA1=d0216ebc81618c22d9d51f2f702c739625f40037|SHA1=18f34a0005e82a9a1556ba40b997b0eae554d5fd|SHA1=3784d1b09a515c8824e05e9ea422c935e693080c|SHA1=5c94c8894799f02f19e45fcab44ee33e653a4d17|SHA1=88839168e50a4739dd4193f2d8f93a30cd1f14d8|SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c|SHA1=5742ad3d30bd34c0c26c466ac6475a2b832ad59e|SHA1=d452fc8541ed5e97a6cbc93d08892c82991cdaad|SHA1=eac1b9e1848dc455ed780292f20cd6a0c38a3406|SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c|SHA1=d48757b74eff02255f74614f35aa27abbe3f72c7|SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9|SHA1=08efd5e24b5ebfef63b5e488144dc9fb6524eaf1|SHA1=cb212a826324909fdedd2b572a59a5be877f1d7d|SHA1=b0aede5a66e13469c46acbc3b01ccf038acf222c|SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e|SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430|SHA1=75d0b9bdfa79e5d43ec8b4c0996f559075723de7|SHA1=1bd4ae9a406bf010e34cdd38e823f732972b18e3|SHA1=b74338c91c6effabc02ae0ced180428ab1024c7d|SHA1=6679cb0907ade366cf577d55be07eabc9fb83861|SHA1=6ce0094a9aacdc050ff568935014607b8f23ff00|SHA1=f7b3457a6fd008656e7216b1f09db2ff062f1ca4|SHA1=89656051126c3e97477a9985d363fbdde0bc159e|SHA1=1ecb7b9658eb819a80b8ebdaa2e69f0d84162622|SHA1=aaaf565fa30834aba3f29a97fc58d15e372500b5|SHA1=b49ac8fefc6d1274d84fef44c1e5183cc7accba1|SHA1=9f2b550c58c71d407898594b110a9320d5b15793|SHA1=3f6a997b04d2299ba0e9f505803e8d60d0755f44|SHA1=ec0c3c61a293a90f36db5f8ed91cbf33c2b14a19|SHA1=d73dabcb3f55935b701542fd26875006217ebbbe|SHA1=dda8c7e852fe07d67c110dab163354a2a85f44a5|SHA1=643383938d5e0d4fd30d302af3e9293a4798e392|SHA1=9e8a87401dc7cc56b3a628b554ba395b1868520f|SHA1=35b28b15835aa0775b57f460d8a03e53dc1fb30f|SHA1=09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5|SHA1=9f6883e59fd6c136cfc556b7b388a4c363dc0516|SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312|SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676|SHA1=5abffd08f4939a0dee81a5d95cf1c02e2e14218c|SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410|SHA1=5eb693c9cc49c7d6a03f7960ddcfd8f468e5656b|SHA1=4518758452af35d593e0cae80d9841a86af6d3de|SHA1=da42cefde56d673850f5ef69e7934d39a6de3025|SHA1=c32dfdb0ee859de618484f3ab7a43ee1d9a25d1c|SHA1=471ca4b5bb5fe68543264dd52acb99fddd7b3c6d|SHA1=290d6376658cf0f8182de0fae40b503098fa09fd|SHA1=2bc9047f08a664ade481d0bbf554d3a0b49424ca|SHA1=1f84d89dd0ae5008c827ce274848d551aff3fc33|SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb|SHA1=cb5229acdf87493e45d54886e6371fc59fc09ee5|SHA1=2db49bdf8029fdcda0a2f722219ae744eae918b0|SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec|SHA1=24f6e827984cca5d9aa3e4c6f3c0c5603977795a|SHA1=db3debacd5f6152abd7a457d7910a0ec4457c0d7|SHA1=96323381a98790b8ffac1654cb65e12dbbe6aff1|SHA1=7241b25c3a3ee9f36b52de3db2fc27db7065af37|SHA1=3c956b524e73586195d704b874e36d49fe42cb6a|SHA1=fb25e6886d98fe044d0eb7bd42d24a93286266e0|SHA1=caa0cb48368542a54949be18475d45b342fb76e5|SHA1=4c16dcc7e6d7dd29a5f6600e50fc01a272c940e1|SHA1=1f3a9265963b660392c4053329eb9436deeed339|SHA1=b0c7ec472abf544c5524b644a7114cba0505951e|SHA1=622e7bffda8c80997e149ac11492625572e386e0|SHA1=4ffa89f8dbdade28813e12db035cf9bd8665ef72|SHA1=5fece994f2409810a0ad050b3ca9b633c93919e4|SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79|SHA1=2fa92d3739735bc9ac4dc38f42d909d97cc5c2a8|SHA1=fece30b9b862bf99ae6a41e49f524fe6f32e215e|SHA1=ae344c123ef6d206235f2a8448d07f86433db5a6|SHA1=ad1616ea6dc17c91d983e829aa8a6706e81a3d27|SHA1=c127c4d0917f54cee13a61c6c0029c95ae0746cf|SHA1=84341ed15d645c4daedcdd39863998761e4cb0e3|SHA1=fb4ce6de14f2be00a137e8dde2c68bb5b137ab9c|SHA1=22c905fcdd7964726b4be5e8b5a9781322687a45|SHA1=4927d843577bada119a17b249ff4e7f5e9983a92|SHA1=d083e69055556a36df7c6e02115cbbf90726f35c|SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf|SHA1=86e59b17272a3e7d9976c980ded939bf8bf75069|SHA1=eb0021e29488c97a0e42a084a4fe5a0695eccb7b|SHA1=388819a7048179848425441c60b3a8390ad04a69|SHA1=611411538b2bc9045d29bbd07e6845e918343e3c|SHA1=43011eb72be4775fec37aa436753c4d6827395d1|SHA1=18938e0d924ee7c0febdbf2676a099e828182c1c|SHA1=1743b073cccf44368dc83ed3659057eb5f644b06|SHA1=fb1570b4865083dfce1fcff2bd72e9e1b03cead5|SHA1=96c2e1d7c9a8ad242f8f478e871f645895d3e451|SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0|SHA1=70258117b5efe65476f85143fd14fa0b7f148adb|SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891|SHA1=24b3f962587b0062ac9a1ec71bcc3836b12306d2|SHA1=663803d7ab5aff28be37c2e7e8c7b98b91c5733e|SHA1=2739c2cfa8306e6f78c335c55639566b3d450644|SHA1=2027e5e8f2cfdfbd9081f99b65af4921626d77f9|SHA1=eb44a05f8bba3d15e38454bd92999a856e6574eb|SHA1=d7597d27eeb2658a7c7362193f4e5c813c5013e5|SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd|SHA1=1e6c2763f97e4275bba581de880124d64666a2fe|SHA1=19977d45e98b48c901596fb0a49a7623cee4c782|SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f|SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843|SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba|SHA1=8d0f33d073720597164f7321603578cd13346d1f|SHA1=229716e61f74db821d5065bac533469efb54867b|SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526|SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308|SHA1=469c04cb7841eedd43227facaf60a6d55cf21fd7|SHA1=722aa0fa468b63c5d7ea308d77230ae3169d5f83|SHA1=bfd8568f19d4273a1288726342d7620cc9070ae5|SHA1=17b3163aecd1f512f1603548ef6eb4947fbec95e|SHA1=ce549714a11bd43b52be709581c6e144957136ec|SHA1=a3224815aedc14bb46f09535e9b8ca7eaa4963bf|SHA1=ba0d6c596b78a1fc166747d7523ca6316ef87e9f|SHA1=f85f5e5d747433b274e53c8377bf24fbc08758b6|SHA1=2e9466d5a814c20403be7c7a5811039ca833bd5d|SHA1=3bb1dddb4157b6b8175fc6e1e7c33bef7870c500|SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816|SHA1=a958734d25865cbc6bcbc11090ab9d6b72799143|SHA1=11fcaeda49848474cee9989a00d8f29cb727acb7|SHA1=45328110873640d8fed9fc72f7d2eadd3d17ceae|SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc|SHA1=3fd5cd30085450a509eaa6367af26f6c4b9741b6|SHA1=f1b3bdc3beb2dca19940d53eb5a0aed85b807e30|SHA1=948fa3149742f73bf3089893407df1b20f78a563|SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c|SHA1=5eed0ce6487d0b8d0a6989044c4fcab1bd845d9e|SHA1=ce31292b05c0ae1dc639a6ee95bb3bc7350f2aaf|SHA1=1a53902327bac3ab323ee63ed215234b735c64da|SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123|SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13|SHA1=f052dc35b74a1a6246842fbb35eb481577537826|SHA1=ba3faca988ff56f4850dede2587d5a3eff7c6677|SHA1=8f266edf9f536c7fc5bb3797a1cf9039fde8e97c|SHA1=d57c732050d7160161e096a8b238cb05d89d1bb2|SHA1=7480c7f7346ce1f86a7429d9728235f03a11f227|SHA1=40abf7edb4c76fb3f22418f03198151c5363f1cb|SHA1=43b61039f415d14189d578012b6cb1bd2303d304|SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27|SHA1=a809831166a70700b59076e0dbc8975f57b14398|SHA1=22c9cd0f5986e91b733fbd5eda377720fd76c86d|SHA1=d7b20ac695002334f804ffc67705ce6ac5732f91|SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0|SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c|SHA1=72a5ac213ec1681d173bee4f1807c70a77b41bf6|SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1|SHA1=891c8d482e23222498022845a6b349fe1a186bcc|SHA1=6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72|SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f|SHA1=e40ea8d498328b90c4afbb0bb0e8b91b826f688e|SHA1=356172a2e12fd3d54e758aaa4ff0759074259144|SHA1=7115929de6fc6b9f09142a878d1a1bf358af5f24|SHA1=1b84abffd814b9f4595296b3e5ede0c44e630967|SHA1=40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b|SHA1=1c3f2579310ddd7ae09ce9ca1cc537a771b83c9f|SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4|SHA1=879fcc6795cebe67718388228e715c470de87dca|SHA1=b33b99ae2653b4e675beb7d9eb2c925a1f105bd4|SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7|SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa|SHA1=c31049605f028a56ce939cd2f97c2e56c12d99f8|SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962|SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07|SHA1=3048f3422b2b31b74eace0dab3f5c4440bdc7bb2|SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2|SHA1=0ff2ad8941fbb80cbccb6db7db1990c01c2869b1|SHA1=6d3c760251d6e6ea7ff4f4fcac14876fac829cf9|SHA1=20cf02c95e329cf2fd4563cddcbd434aad81ccb4|SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c|SHA1=e835776e0dc68c994dd18e8628454520156c93e3|SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8|SHA1=97bc298a1d12a493bf14e6523e4ff48d64832954|SHA1=fb349c3cde212ef33a11a9d58a622dc58dff3f74|SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c|SHA1=b0a684474eb746876faa617a28824bee93ba24f0|SHA1=a01c42a5be7950adbc7228a9612255ac3a06b904|SHA1=a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec|SHA1=f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6|SHA1=441f87633ee6fbea5dee1268d1b9b936a596464d|SHA1=da9cea92f996f938f699902482ac5313d5e8b28e|SHA1=32f27451c377c8b5ea66be5475c2f2733cffe306|SHA1=58ebfb7de214ee09f6bf71c8cc9c139dd4c8b016|SHA1=f5293ac70d75cdfe580ff6a9edcc83236012eaf1|SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7|SHA1=0b63e76fad88ac48dbfc7cf227890332fcd994a5|SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f|SHA1=160a237295a9e5cbb64ca686a84e47553a14f71d|SHA1=f5d58452620b55c2931cba75eb701f4cde90a9e4|SHA1=a24840e32071e0f64e1dff8ca540604896811587|SHA1=fad8e308f6d2e6a9cfaf9e6189335126a3c69acb|SHA1=6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77|SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e|SHA1=f049e68720a5f377a5c529ca82d1147fe21b4c33|SHA1=c4454a3a4a95e6772acb8a3d998b78a329259566|SHA1=5291b17205accf847433388fe17553e96ad434ec|SHA1=8b037d7a7cb612eabd8e20a9ce93afd92a6db2c2|SHA1=0cca79962d9af574169f5dec12b1f4ca8e5e1868|SHA1=87d47340d1940eaeb788523606804855818569e3|SHA1=272ffcda920a8e2440eb0d31dcd05485e0d597ad|SHA1=e28b754d4d332ea57349110c019d841cf4d27356|SHA1=d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6|SHA1=c201d5d0ab945095c3b1a356b3b228af1aa652fc|SHA1=39e57a0bb3b349c70ad5f11592f9282860bbcc0a|SHA1=5622caf22032e5cbef52f48077cfbcbbbe85e961|SHA1=d8498707f295082f6a95fd9d32c9782951f5a082|SHA1=da03799bb0025a476e3e15cc5f426e5412aeef02|SHA1=b5dfa3396136236cc9a5c91f06514fa717508ef5|SHA1=ba63502aaf8c5a7c2464e83295948447e938a844|SHA1=21ce232de0f306a162d6407fe1826aff435b2a04|SHA1=36a6f75f05ac348af357fdecbabe1a184fe8d315|SHA1=03257294ee74f69881002c4bf764b9cb83b759d6|SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1|SHA1=1045c63eccb54c8aee9fd83ffe48306dc7fe272c|SHA1=8f4b79b8026da7f966d38a8ba494c113c5e3894b|SHA1=f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8|SHA1=d612165251d5f1dcfb1f1a762c88d956f49ce344|SHA1=fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b|SHA1=86b1186a4e282341daf2088204ab9ff2d0402d28|SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0|SHA1=0cac0dbaa7adb7bba6e92c7cd2d514be7e86a914|SHA1=1b25fbab2dbee5504dc94fbcc298cd8669c097a8|SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a|SHA1=8d6d6745a2adc9e5aa025c38875554ae6440d1ad|SHA1=f42aa04b69a2e2241958b972ef24b65f91c3af12|SHA1=44a3a00394a6d233a27189482852babf070ffebe|SHA1=3e406325a717d7163ca31e81beae822d03cbe3d8|SHA1=fc154983af4a5be15ae1e4b54e2050530b8bc057|SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0|SHA1=f9c916d163b85057414300ca214ebdf751172ecf|SHA1=195b91a1a43de8bfb52a4869fbf53d7a226a6559|SHA1=d62fa51e520022483bdc5847141658de689c0c29|SHA1=9329a0ce2749a3a6bea2028ce7562d74c417db64|SHA1=cfdb2085eaf729c7967f5d4efe16da3d50d07a23|SHA1=184729ec2ffd0928a408255a23b3f532ffb3db3d|SHA1=45a9f95a7a018925148152b888d09d478d56bbf5|SHA1=a5f9aef55c64722ff2db96039af3b9c7dd8163e3|SHA1=483e58ed495e4067a7c42ca48e8a5f600b14e018|SHA1=b9b72a5be3871ddc0446bae35548ea176c4ea613|SHA1=18f09ec53f0b7d2b1ab64949157e0e84628d0f0a|SHA1=de2b56ef7a30a4697e9c4cdcae0fc215d45d061d|SHA1=e2e7a2b2550b889235aafd9ffd1966ccd20badfe|SHA1=016aa643fbd8e10484741436bcacc0d9eee483c8|SHA1=5c88d9fcc491c7f1078c224e1d6c9f5bda8f3d8a|SHA1=86e893e59352fcb220768fb758fcc5bbd91dd39e|SHA1=1568117f691b41f989f10562f354ee574a6abc2d|SHA1=5c2262f9e160047b9f4dee53bbfd958ec27ec22e|SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1|SHA1=8db4376a86bd2164513c178a578a0bf8d90e7292|SHA1=4a04596acf79115f15add3921ce30a96f594d7ce|SHA1=16a091bfd1fd616d4607cac367782b1d2ab07491|SHA1=cf664e30f8bd548444458eef6d56d5c2e2713e2a|SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3|SHA1=f544f25104fe997ec873f5cec64c7aa722263fb4|SHA1=be797c91768ac854bd3b82a093e55db83da0cb11|SHA1=cea540a2864ece0a868d841ab27680ff841fcbe6|SHA1=b4f1877156bf3157bff1170ba878848b2f22d2d5|SHA1=55cffb0ef56e52686b0c407b94bbea3701d6eccd|SHA1=b6543d006cb2579fb768205c479524e432c04204|SHA1=879b32fcf78044cbc74b57717ab3ae18e77bc2fb|SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4|SHA1=4a7324ca485973d514fd087699f6d759ff32743b|SHA1=e41808b022656befb7dc42bbeceaf867e2fec6b2|SHA1=1e09f3dd6ba9386fa9126f0116e49c2371401e01|SHA1=5bdd44eb321557c5d3ab056959397f0048ac90e6|SHA1=42bb38b0b93d83b62fe2604b154ada9314c98df7|SHA1=c47b890dda9882f9f37eccc27d58d6a774a2901f|SHA1=2cc70b772b42e0208f345c7c70d78f7536812f99|SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd|SHA1=b7a2f2760f9819cb242b2e4f5b7bab0a65944c81|SHA1=7a1689cde189378e7db84456212b0e438f9bf90a|SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95|SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0|SHA1=0a6e0f9f3d7179a99345d40e409895c12919195b|SHA1=2dd916cb8a9973b5890829361c1f9c0d532ba5d6|SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe|SHA1=dcfeca5e883a084e89ecd734c4528b922a1099b9|SHA1=f56fec3f2012cd7fc4528626debc590909ed74b6|SHA1=d126c6974a21e9c5fdd7ff1ca60bcc37c9353b47|SHA1=a6aa7926aa46beaf9882a93053536b75ef2c7536|SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6|SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be|SHA1=7ba4607763c6fef1b2562b72044a20ca2a0303e2|SHA1=bec66e0a4842048c25732f7ea2bbe989ea400abf|SHA1=fd87b70f94674b02d62bb01ae6e62d75c618f5c8|SHA1=d17656f11b899d58dca7b6c3dd6eef3d65ae88e2|SHA1=c1c869deee6293eee3d0d84b6706d90fab8f8558|SHA1=f56186b6a7aa3dd7832c9d821f9d2d93bc2a9360|SHA1=e9d7d7d42fd534abf52da23c0d6ec238cefde071|SHA1=8d0ae69fbe0c6575b6f8caf3983dd3ddc65aadb5|SHA1=b67945815e40b1cd90708c57c57dab12ed29da83|SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471|SHA1=a4e2e227f984f344d48f4bf088ca9d020c63db4e|SHA1=a34adabde63514e1916713a588905c4019f83efb|SHA1=3270720a066492b046d7180ca6e60602c764cac7|SHA1=2bcb81f1b643071180e8ed8f7e42f49606669976|SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a|SHA1=bb1f9cc94e83c59c90b055fe13bb4604b2c624df|SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d|SHA1=d702d88b12233be9413446c445f22fda4a92a1d9|SHA1=6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9|SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b|SHA1=c520a368c472869c3dc356a7bcfa88046352e4d9|SHA1=254dce914e13b90003b0ae72d8705d92fe7c8dd0|SHA1=e9f576137181c261dc3b23871d1d822731d54a12|SHA1=ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6|SHA1=1c537fd17836283364349475c6138e6667cf1164|SHA1=cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed|SHA1=252157ab2e33eed7aa112d1c93c720cadcee31ae|SHA1=97f668aa01ebbbf2f5f93419d146e6608d203efd|SHA1=9feacc95d30107ce3e1e9a491e2c12d73eef2979|SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab|SHA1=0f78974194b604122b1cd4e82768155f946f6d24|SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c|SHA1=d363011d6991219d7f152609164aba63c266b740|SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1|SHA1=db3538f324f9e52defaba7be1ab991008e43d012|SHA1=008a292f71f49be1fb538f876de6556ce7b5603a|SHA1=e35969966769e7760094cbcffb294d0d04a09db6|SHA1=5236728c7562b047a9371403137a6e169e2026a6|SHA1=862387e84baaf506c10080620cc46df2bda03eea|SHA1=c0100f8a8697a240604b3ea88848dd94947c7fd3|SHA1=ad05bff5fe45df9e08252717fc2bc2af57bf026f|SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de|SHA1=637d0de7fa2a06e462dad40a575cb0fa4a38d377|SHA1=0904b8fa4654197eefd6380c81bbb2149ffe0634|SHA1=928b9b180ff5deb9f9dd3a38c4758bcf09298c47|SHA1=432fa24e0ce4b3673113c90b34d6e52dc7bac471|SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825|SHA1=444f96d8943aec21d26f665203f3fb80b9a2a260|SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467|SHA1=eba5483bb47ec6ff51d91a9bdf1eee3b6344493d|SHA1=e3048cd05573dc1d30b1088859bc728ef67aaad0|SHA1=537923c633d8fc94d9ae45ad9d89e5346f581f17|SHA1=022f7aa4d0f04d594588ae9fa65c90bcc4bda833|SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2|SHA1=7a107291a9fad0d298a606eb34798d423c4a5683|SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a|SHA1=0fd700fee341148661616ecd8af8eca5e9fa60e3|SHA1=3aba6dd15260875eb290e9d67992066141aa0bb0|SHA1=a5596d4d329add26b9ca9fa7005302148dfacfd8|SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0|SHA1=22fc833e07dd163315095d32ebcd3b3e377c33a4|SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1|SHA1=c9522cf7f6d6637aaff096b4b16b0d81f6ee1c37|SHA1=d11659145d6627f3d93975528d92fb6814171f91|SHA1=d3d2fe8080f0b18465520785f3a955e1a24ae462|SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387|SHA1=ea37a4241fa4d92c168d052c4e095ccd22a83080|SHA1=72966ca845759d239d09da0de7eebe3abe86fee3|SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9|SHA1=dc69a6cdf048e2c4a370d4b5cafd717d236374ea|SHA1=24daa825adedcbbb1d098cbe9d68c40389901b64|SHA1=2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1|SHA1=dc55217b6043d819eadebd423ff07704ee103231|SHA1=2ba0db7465cf4ffb272f803a9d77292b79c1e6df|SHA1=52ea274e399df8706067fdc5ac52af0480461887|SHA1=d8adf4f02513367c2b273abb0bc02f7eb3a5ef19|SHA1=6887668eb41637bbbab285d41a36093c6b17a8fa|SHA1=d6b1b3311263bfb170f2091d22f373c2215051b7|SHA1=fad014ec98529644b5db5388d96bc4f9b77dcdc3|SHA1=a714a2a045fa8f46d0165b78fe3eecf129c1de3a|SHA1=a09334489fb18443c8793cb0395860518193cc3c|SHA1=49d58f7565bacf10539bc63f1d2fe342b3c3d85a|SHA1=e4fcb363cfe9de0e32096fa5be94a41577a89bb0|SHA1=6a60f5fa0dfc6c1fa55b24a29df7464ee01a9717|SHA1=8b86c99328e4eb542663164685c6926e7e54ac20|SHA1=431550db5c160b56e801f220ceeb515dc16e68d2|SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586|SHA1=dd893cd3520b2015790f7f48023d833f8fe81374|SHA1=7626036baf98ddcb492a8ec34e58c022ebd70a80|SHA1=0b8b83f245d94107cb802a285e6529161d9a834d|SHA1=c01caaa74439af49ca81cb5b200a167e7d32343c|SHA1=26a8ab6ea80ab64d5736b9b72a39d90121156e76|SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f|SHA1=f6f7b5776001149496092a95fb10218dea5d6a6b|SHA1=166759fd511613414d3213942fe2575b926a6226|SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e|SHA1=0a89a6f6f40213356487bfcfb0b129e4f6375180|SHA1=f640c94e71921479cc48d06b59aba41ffa50a769|SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7|SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754|SHA1=3ca51b23f8562485820883e894b448413891183a|SHA1=8275977e4b586e485e9025222d0a582fcb9e1e8f|SHA1=30846313e3387298f1f81c694102133568d6d48d|SHA1=b52886433e608926a0b6e623217009e4071b107e|SHA1=d19d1d3aa30391922989f4c6e3f7dc4937dcefbf|SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c|SHA1=091a039f5f2ae1bb0fa0f83660f4c178fd3a5a10|SHA1=6293ff11805cd33bccbcca9f0132bff3ae2e2534|SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc|SHA1=7667b72471689151e176baeba4e1cd9cd006a09a|SHA1=1479717fab67d98bbc3665f6b12adddfca74e0ef|SHA1=fc8fbd92f6e64682360885c188d1bdfbc14ca579|SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643|SHA1=6df42ea7c0e6ee02062bf9ca2aa4aa5cd3775274|SHA1=c40ff3ebf6b5579108165be63250634823db32ec|SHA1=cef5a329f7a36c76a546d9528e57245127f37246|SHA1=7c46ecc5ce8e5f6e236a3b169fb46bb357ac3546|SHA1=a32232a426c552667f710d2dcbd2fb9f9c50331d|SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327|SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab|SHA1=d496a8d3e71eaacd873ccef1d1f6801e54959713|SHA1=437b56dc106d2e649d2c243c86729b6e6461d535|SHA1=f10ec1b88c3a383c2a0c03362d31960836e3fb5f|SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6|SHA1=7503a1ed7f6fbd068f8c900dd5ddb291417e3464|SHA1=24aafe3c727c6a3bd1942db78327ada8fcb8c084|SHA1=8453fc3198349cf0561c87efc329c81e7240c3da|SHA1=51b9867c391be3ce56ba7e1c3cba8c76777245b2|SHA1=a7bd05de737f8ea57857f1e0845a25677df01872|SHA1=eb2496304073727564b513efd6387a77ce395443|SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e|SHA1=736531c76b8d9c56e26561bf430e10ecabff0186|SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02|SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca|SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57|SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346|SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3|SHA1=c948ae14761095e4d76b55d9de86412258be7afd|SHA1=80ea425e193bd0e05161e8e1dc34fb0eae5f9017|SHA1=2e546d86d3b1e4eaa92b6ec4768de79f70eb922f|SHA1=b91c34bb846fd5b2f13f627b7da16c78e3ee7b0f|SHA1=a6816949cd469b6e5c35858d19273936fab1bef6|SHA1=c02cb8256dfb37f690f2698473fe5428d17bc178|SHA1=c2d18ce26ce2435845f534146d7f353b662ad2b9|SHA1=05eff2001f595f9e2894c6b5eee756ae72379a6d|SHA1=0a19a9c4c9185b80188da529ec9c9f45cbe73186|SHA1=e7d8fc86b90f75864b7e2415235e17df4d85ee31|SHA1=8e64c32bcfd70361956674f45964a8b0c8aa6388|SHA1=97941faf575e43e59fe8ee167de457c2cf75c9eb|SHA1=7e8efd93a1dad02385ec56c8f3b1cfd23aa47977|SHA1=850d7df29256b4f537eddafe95cfea59fb118fe2|SHA1=e2f40590b404a24e775f781525d8ed01f1b1156d|SHA1=ff9048c451644c9c5ff2ba1408b194a0970b49e6|SHA1=53f7fc4feb66af748f2ab295394bf4de62ae9fcc|SHA1=3def50587309440e3b9e595bdbe4dde8d69a64e7|SHA1=c6d349823bbb1f5b44bae91357895dba653c5861|SHA1=f3029dba668285aac04117273599ac12a94a3564|SHA1=adab368ed3c17b8f2dc0b2173076668b6153e03a|SHA1=c45d03076fa6e66c1b8b74b020ad84712755e3df|SHA1=0d27a3166575ec5983ec58de2591552cfa90ef92|SHA1=d28b604b9bb608979cc0eab1e9e93e11c721aa3d|SHA1=70bb3b831880e058524735b14f2a0f1a72916a4c|SHA1=5a55c227ca13e9373b87f1ef6534533c7ce1f4fb|SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba|SHA1=4075de7d7d2169d650c5ccede8251463913511e6|SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7|SHA1=619413b5a6d6aeb4d58c409d54fe4a981dd7e4d9|SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de|SHA1=d9c1913a6c76b883568910094dfa1d67aad80c84|SHA1=49174d56cce618c77ae4013fe28861c80bf5ba97|SHA1=e11f48631c6e0277e21a8bdf9be513651305f0d5|SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775|SHA1=d5326fea00bcde2ef7155acf3285c245c9fb4ece|SHA1=e8234c44f3b7e4c510ef868e8c080e00e2832b07|SHA1=9449f211c3c47821b638513d239e5f2c778dc523|SHA1=456a1acacaa02664517c2f2fb854216e8e967f9d|SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8|SHA1=b314742af197a786218c6dd704b438469445eefa|SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371|SHA1=fbfabf309680fbf7c0f6f14c5a0e4840c894e393|SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef|SHA1=6ed5c2313eecd97b78aa5dcdb442dd47345c9e43|SHA1=1f26424eaf046dbf800ae2ac52d9bb38494d061a|SHA1=b7fa8278ab7bc485727d075e761a72042c4595f7|SHA1=10b9ae9286837b3bf6a00771c7e81adbdea3cbfe|SHA1=850f15fd67d9177a50f3efef07a805b9613f50d6|SHA1=696d68bdbe1d684029aaad2861c49af56694473a|SHA1=164c899638bc83099c0379ea76485194564c956c|SHA1=15f16fe63105b8f9cc0ef2bc8f97cfa5deb40662|SHA1=b304cb10c88ddd8461bad429ebfd2fd1b809ac2b|SHA1=a95a126b539989e29e68969bfab16df291e7fa8a|SHA1=4f02fb7387ca0bc598c3bcb66c5065d08dbb3f73|SHA1=1e8bccbd74f194db6411011017716c8c6b730d03|SHA1=0cc60a56e245e70f664906b7b67dfe1b4a08a5b7|SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a|SHA1=19bd488fe54b011f387e8c5d202a70019a204adf|SHA1=879e327292616c56bd4aafc279fbda6cc393b74d|SHA1=45e8f87afa41143e0c5850f9e054d18ec9c8a6c0|SHA1=b53c360b35174bd89f97f681bf7c17f40e519eb6|SHA1=c3be2bbd9b3f696bc9d51d5973cc00ca059fb172|SHA1=5bb2d46ba666c03c56c326f0bbc85cc48a87dfa3|SHA1=9b8c7eda28bfad07ffe5f84a892299bc7e118442|SHA1=762a5b4c7beb2af675617dca6dcd6afd36ce0afd|SHA1=6d9e22a275a5477ea446e6c56ee45671fbcbb5f6|SHA1=1292c7dd60214d96a71e7705e519006b9de7968f|SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13|SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646|SHA1=f61e56359c663a769073782a0a3ffd3679c2694a|SHA1=dd2b90c9796237036ac7136a172d96274dea14c8|SHA1=af5b7556706e09ee9e74ee2e87eab5c0a49d2d35|SHA1=57cc324326ab6c4239f8c10d2d1ce8862b2ce4d5|SHA1=bed5bad7f405aa828a146c7f71d09c31d0c32051|SHA1=34a07ae39b232cc3dbbe657b34660e692ff2043a|SHA1=3f67a43ae174a715795e49f72bc350302de83323|SHA1=a3d612a5ea3439ba72157bd96e390070bdddbbf3|SHA1=655a9487d7a935322e19bb92d2465849055d029d|SHA1=f70989f8b17971f13d45ee537e4ce98e93acbbaf|SHA1=4044e5da1f16441fe7eb27cff7a76887a1aa7fec|SHA1=7b4c922415e13deaf54bb2771f2ae30814ee1d14|SHA1=8c11430372889bae1f91e8d068e2b2ad56dfc6bf|SHA1=4f376b1d1439477a426ef3c52e8c1c69c2cb5305|SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f|SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403|SHA1=7fb52290883a6b69a96d480f2867643396727e83|SHA1=82dbac75b73ff4b92bdcbf6977a6683e1dcfe995|SHA1=5b83c61178afb87ef7d58fd786808effcaaae861|SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed|SHA1=ebafebe5e94fdf12bd2159ed66d73268576bc7d9|SHA1=5e4b93591f905854fb870011464291c3508aff44|SHA1=a38aac44ee232fb50a6abf145e8dd921ca3e7d78|SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b|SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22|SHA256=66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796|SHA256=e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994|SHA256=5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea|SHA256=b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a|SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4|SHA256=c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547|SHA256=506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1|SHA256=4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61|SHA256=9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504|SHA256=5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa|SHA256=a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f|SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675|SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf|SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb|SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c|SHA256=247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f|SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8|SHA256=dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc|SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc|SHA256=46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474|SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a|SHA256=4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba|SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395|SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2|SHA256=a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00|SHA256=e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16|SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712|SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f|SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50|SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763|SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26|SHA256=5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879|SHA256=68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248|SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75|SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d|SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d|SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812|SHA256=b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e|SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1|SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439|SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de|SHA256=d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee|SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a|SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339|SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46|SHA256=a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526|SHA256=0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250|SHA256=223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1|SHA256=18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a|SHA256=442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243|SHA256=7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8|SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47|SHA256=0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2|SHA256=9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c|SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3|SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6|SHA256=a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce|SHA256=d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d|SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59|SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1|SHA256=16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c|SHA256=0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d|SHA256=c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29|SHA256=4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b|SHA256=fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70|SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8|SHA256=7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26|SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f|SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa|SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed|SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492|SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36|SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293|SHA256=cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c|SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566|SHA256=b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1|SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be|SHA256=a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e|SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889|SHA256=4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158|SHA256=d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8|SHA256=f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672|SHA256=f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2|SHA256=3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284|SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0|SHA256=1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd|SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b|SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0|SHA256=bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65|SHA256=8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750|SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162|SHA256=03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d|SHA256=af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1|SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173|SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5|SHA256=38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8|SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a|SHA256=ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156|SHA256=a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f|SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6|SHA256=d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6|SHA256=f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e|SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677|SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3|SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4|SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea|SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3|SHA256=45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271|SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91|SHA256=ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498|SHA256=3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486|SHA256=e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f|SHA256=f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229|SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8|SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469|SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf|SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190|SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb|SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135|SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d|SHA256=ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9|SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f|SHA256=eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd|SHA256=a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1|SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e|SHA256=9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340|SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775|SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba|SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf|SHA256=7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667|SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb|SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184|SHA256=c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de|SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a|SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25|SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa|SHA256=c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad|SHA256=e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e|SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef|SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980|SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748|SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8|SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3|SHA256=42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180|SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c|SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52|SHA256=67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78|SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb|SHA256=0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda|SHA256=49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd|SHA256=0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c|SHA256=e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21|SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd|SHA256=41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f|SHA256=d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c|SHA256=b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61|SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f|SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb|SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d|SHA256=c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e|SHA256=7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5|SHA256=680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6|SHA256=1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17|SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad|SHA256=4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb|SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433|SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970|SHA256=0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec|SHA256=5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00|SHA256=3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928|SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f|SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833|SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c|SHA256=38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9|SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0|SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa|SHA256=0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c|SHA256=8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506|SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293|SHA256=e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce|SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219|SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039|SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683|SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418|SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5|SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b|SHA256=33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef|SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f|SHA256=53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf|SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670|SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e|SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe|SHA256=76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6|SHA256=eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed|SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf|SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2|SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af|SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004|SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9|SHA256=67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79|SHA256=71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713|SHA256=8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222|SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7|SHA256=a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641|SHA256=29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36|SHA256=7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3|SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7|SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b|SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838|SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456|SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8|SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1|SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10|SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60|SHA256=4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b|SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c|SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c|SHA256=3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14|SHA256=edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5|SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b|SHA256=39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d|SHA256=0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502|SHA256=5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff|SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9|SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1|SHA256=bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca|SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b|SHA256=db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7|SHA256=32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e|SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c|SHA256=bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042|SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653|SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145|SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478|SHA256=b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5|SHA256=edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c|SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48|SHA256=0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7|SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f|SHA256=b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69|SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53|SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4|SHA256=c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778|SHA256=0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75|SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c|SHA256=bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c|SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57|SHA256=00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c|SHA256=7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca|SHA256=3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c|SHA256=fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5|SHA256=7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e|SHA256=0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901|SHA256=e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc|SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c|SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1|SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88|SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b|SHA256=65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d|SHA256=0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168|SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508|SHA256=060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f|SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a|SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486|SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a|SHA256=642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54|SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9|SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c|SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac|SHA256=6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d|SHA256=1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc|SHA256=33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57|SHA256=653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d|SHA256=20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece|SHA256=3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2|SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd|SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512|SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743|SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57|SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92|SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5|SHA256=613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55|SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298|SHA256=b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c|SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab|SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd|SHA256=854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9|SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc|SHA256=aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a|SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade|SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009|SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d|SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9|SHA256=69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce|SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761|SHA256=16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23|SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0|SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c|SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2|SHA256=f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967|SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1|SHA256=c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a|SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48|SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8|SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f|SHA256=d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd|SHA256=636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220|SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22|SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f|SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e|SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408|SHA256=4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f|SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2|SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a|SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5|SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a|SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6|SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a|SHA256=9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01|SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258|SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558|SHA256=d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b|SHA256=c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65|SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3|SHA256=f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44|SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2|SHA256=bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba|SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482|SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc|SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165|SHA256=73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061|SHA256=ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1|SHA256=c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b|SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02|SHA256=51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb|SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6|SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a|SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b|SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0|SHA256=83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc|SHA256=8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250|SHA256=61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874|SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129|SHA256=a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af|SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff|SHA256=6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80|SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184|SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af|SHA256=3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1|SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e|SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587|SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8|SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89|SHA256=72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35|SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b|SHA256=b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027|SHA256=0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d|SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924|SHA256=5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c|SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1|SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4|SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e|SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131|SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f|SHA256=8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881|SHA256=9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3|SHA256=dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9|SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24|SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7|SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2|SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960|SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357|SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0|SHA256=1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3|SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0|SHA256=87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b|SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92|SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc|SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6|SHA256=837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2|SHA256=db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33|SHA256=773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc|SHA256=f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b|SHA256=733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e|SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21|SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194|SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48|SHA256=747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465|SHA256=903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b|SHA256=6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259|SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0|SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5|SHA256=55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03|SHA256=f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686|SHA256=4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7|SHA256=40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554|SHA256=1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b|SHA256=53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b|SHA256=7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6|SHA256=6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7|SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004|SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89|SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b|SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20|SHA256=00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03|SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4|SHA256=d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c|SHA256=6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72|SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98|SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa|SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d|SHA256=3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb|SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f|SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e|SHA256=760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510|SHA256=b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5|SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94|SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf|SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9|SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa|SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248|SHA256=ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d|SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0|SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa|SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b|SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c|SHA256=0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8|SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3|SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e|SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5|SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a|SHA256=2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f|SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1|SHA256=8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c|SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8|SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3|SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1|SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1|SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775|SHA256=ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686|SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0|SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa|SHA256=3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9|SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073|SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c|SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219|SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4|SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2|SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9|SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5|SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c|SHA256=c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa|SHA256=11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2|SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504|SHA256=d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b|SHA256=c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b|SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126|SHA256=81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05|SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9|SHA256=828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2|SHA256=182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714|SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57|SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d|SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185|SHA256=f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e|SHA256=9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207|SHA256=c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1|SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1|SHA256=ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5|SHA256=e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa|SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d|SHA256=dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb|SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb|SHA256=e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5|SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685|SHA256=70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7|SHA256=909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77|SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918|SHA256=90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a|SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba|SHA256=5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8|SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406|SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4|SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63|SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25|SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501|SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c|SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f|SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b|SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26|SHA256=b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c|SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe|SHA256=f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2|SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e|SHA256=4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2|SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b|SHA256=700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24|SHA256=d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e|SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80|SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74|SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d|SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85|SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512|SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df|SHA256=ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8|SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc|SHA256=5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c|SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062|SHA256=4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0|SHA256=7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7|SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0|SHA256=4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4|SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f|SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d|SHA256=da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb|SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90|SHA256=cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496|SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463|SHA256=1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d|SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467|SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca|SHA256=b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee|SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5|SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd|SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8|SHA256=5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09|SHA256=274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab|SHA256=89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7|SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd|SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d|SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3|SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5|SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb|SHA256=afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3|SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2|SHA256=9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91|SHA256=97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c|SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850|SHA256=065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc|SHA256=3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d|SHA256=c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad|SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c|SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c|SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88|SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8|SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c|SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6|SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526|SHA256=a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e|SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b|SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882|SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae|SHA256=5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee|SHA256=b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684|SHA256=dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d|SHA256=3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb|SHA256=f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1|SHA256=8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6|SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3|SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8|SHA256=1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43|SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad|SHA256=a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c|SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed|SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b|SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a|SHA256=70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505|SHA256=76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb|SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c|SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee|SHA256=1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a|SHA256=ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517|SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05|SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee|SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5|SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b|SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285|SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb|SHA256=d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e|SHA256=b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d|SHA256=fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a|SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc|SHA256=5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3|SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a|SHA256=b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f|SHA256=786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc|SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca|SHA256=212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a|SHA256=5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab|SHA256=79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd|SHA256=9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95|SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada|SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26|SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036|SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7|SHA256=ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc|SHA256=b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6|SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965|SHA256=eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90|SHA256=582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a|SHA256=326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9|SHA256=9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36|SHA256=655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723|SHA256=8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f|SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6|SHA256=f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257|SHA256=e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534|SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f|SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572|SHA256=81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d|SHA256=2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9|SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7|SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a|SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289|SHA256=71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5|SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8|SHA256=848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891|SHA256=14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c|SHA256=49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94|SHA256=a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53|SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200|SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf|SHA256=c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42|SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917|SHA256=348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1|SHA256=f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad|SHA256=5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77|SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c|SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa|SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a|SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d|SHA256=7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc|SHA256=7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f|SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e|SHA256=39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa|SHA256=0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182|SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b|SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c|SHA256=a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b|SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5|SHA256=e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1|SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5|SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f|SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28|SHA256=b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801|SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c|SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148|SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6|SHA256=5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4|SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612|SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e|SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d|SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9|SHA256=648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f|SHA256=6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440|SHA256=b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25|SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b|SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6|SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6|SHA256=22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5|SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289|SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f|SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8|SHA256=b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b|SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399|SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085|SHA256=f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585|SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135|SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396|SHA256=d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257|SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354|SHA256=2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266|SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82|SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100|SHA256=0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57|SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae|SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c|SHA256=cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5|SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8|SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0|SHA256=51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292|SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30|SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4|SHA256=83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c|SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449|SHA256=51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11|SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd|SHA256=e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717|SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a|SHA256=b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890|SHA256=bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091|SHA256=6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893|SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8|SHA256=63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e|SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2|SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d|SHA256=26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288|SHA256=b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71|SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305|SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4|SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69|SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1|SHA256=d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e|SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4|SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4|SHA256=478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70|SHA256=1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7|SHA256=e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21|SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f|SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e|SHA256=4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112|SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a|SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f|SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7|SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524|SHA256=202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213|SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005|SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd|SHA256=00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922|SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102|SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5|SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8|SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867|SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca|SHA256=c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b|SHA256=c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038|SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21|SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3|SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3|SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14|SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793|SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79|SHA256=405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1|SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229|SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1|SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659|SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687|SHA256=ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d|SHA256=b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c|SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533|SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9|SHA256=11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f|SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c|SHA256=2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb|SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f|SHA256=37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20|SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b|SHA256=c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0|SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc|SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2|SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb|SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba|SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e|SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de|SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b|SHA256=ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7|SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646|SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7|SHA256=c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4|SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc|SHA256=16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1|SHA256=24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9|SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a|SHA256=8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c|SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4|SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03|SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64|SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf|SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530|SHA256=d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c|SHA256=0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180|SHA256=b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763|SHA256=bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f|SHA256=b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b|SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2|SHA256=5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a|SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b|SHA256=66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e|SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba|SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961|SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a|SHA256=9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be|SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29|SHA256=fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584|SHA256=bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc|SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e|SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c|SHA256=4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d|SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879|SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb|SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a|SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347|SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3|SHA256=f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de|SHA256=567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270|SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba|SHA256=b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3|SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9|SHA256=8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409|SHA256=f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d|SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813|SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa|SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa|SHA256=9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d|SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe|SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7|SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2|SHA256=3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236|SHA256=468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5|SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b|SHA256=ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4|SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441|SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989|SHA256=0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7|SHA256=daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5|SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa|SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa|SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608|SHA256=7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0|SHA256=f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6|SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d|SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf|SHA256=0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664|SHA256=dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53|SHA256=f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2|SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7|SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a|SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91|SHA256=3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a|SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd|SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd|SHA256=3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5|SHA256=f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6|SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0|SHA256=898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289|SHA256=834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78|SHA256=d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4|SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c|SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7|SHA256=8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258|SHA256=4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51|SHA256=1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b|SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75|SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9|SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d|SHA256=85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3|SHA256=31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37|SHA256=1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6|SHA256=442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c|SHA256=ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1|SHA256=53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6|SHA256=f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65|SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028|SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65|SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094|SHA256=87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5|SHA256=c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633|SHA256=78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663|SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7|SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc|SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e|SHA256=be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0|SHA256=7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727|SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f|SHA256=20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2|SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a|SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566|SHA256=b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5|SHA256=3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458|SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44|SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351|SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192|SHA256=d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7|SHA256=e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb|SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356|SHA256=d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25|SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058|SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c|SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c|SHA256=5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4|SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6|SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d|SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d|SHA256=af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c|SHA256=6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097|SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01|SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63|SHA256=be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7|SHA256=2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057|SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00|SHA256=64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5|SHA256=7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a|SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2|SHA256=ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9|SHA256=f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114|SHA256=8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047|SHA256=0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a|SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa|SHA256=4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4|SHA256=a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5|SHA256=9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91|SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7|SHA256=d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e|SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a|SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c|SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41|SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0|SHA256=1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a|SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df|SHA256=2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958|SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0|SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc|SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229|SHA256=d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565|SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1|SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad|SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9|SHA256=a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67|SHA256=d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2|SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc|SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c|SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2|SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a|SHA256=d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4|SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a|SHA256=c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0|SHA256=ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3|SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc|SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b|SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853|SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38|SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9|SHA256=3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f|SHA256=7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be|SHA256=6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7|SHA256=18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7|SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1|SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7|SHA256=88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3|SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba|SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961|SHA256=46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28|SHA256=73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a|SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc|SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63|SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d|SHA256=922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832|SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a|SHA256=bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421|SHA256=7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96|SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8|SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810|SHA256=1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718|SHA256=11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768|SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf|SHA256=5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb|SHA256=54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876|SHA256=98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e|SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3|SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960|SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c|SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414|SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7|SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33|SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a|SHA256=1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695|SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece|SHA256=b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f|SHA256=7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25|SHA256=6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0|SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496|SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b|SHA256=0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3|SHA256=ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7|SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6|SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae|SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704|SHA256=63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670|SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8|SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134|SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6|SHA256=e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef|SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9|SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf|SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605|SHA256=ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d|SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22|SHA256=0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02|SHA256=c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda|SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de|SHA256=0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c|SHA256=dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233|SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0|SHA256=423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18|SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13|SHA256=ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7|SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4|SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc|SHA256=a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6|SHA256=d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757|SHA256=11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359|SHA256=1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67|SHA256=2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1|SHA256=ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18|SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22|SHA256=b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb|SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758|SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5|SHA256=a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc|SHA256=442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a|SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495|SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0|SHA256=0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0|SHA256=94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915|SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347|SHA256=47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d|SHA256=a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e|SHA256=c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413|SHA256=082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470|SHA256=84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451|SHA256=64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66|SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3|SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8|SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955|SHA256=9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727|SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d|SHA256=96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452|SHA256=df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d|SHA256=3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50|SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280|SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c|SHA256=0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5|SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986|SHA256=41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6|SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54|SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3|SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233|SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230|SHA256=39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0|SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c|SHA256=6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d|SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be|SHA256=05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686|SHA256=a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a|SHA256=ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96|SHA256=26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd|SHA256=ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613|SHA256=fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17|SHA256=37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60|SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1|SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668|SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4|SHA256=b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de|SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f|SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb|SHA256=50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7|SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c|SHA256=6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943|SHA256=61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629|SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e|SHA256=d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd|SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f|SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d|SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8|SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6|SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06|SHA256=ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91|SHA256=0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0|SHA256=b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe|SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7|SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee|SHA256=48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548|SHA256=87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b|SHA256=54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca|SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc|SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602|SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15|SHA256=fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8|SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef|SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7|SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3|SHA256=8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6|SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15|SHA256=8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7|SHA256=c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746|SHA256=77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f|SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57|SHA256=3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8|SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9|SHA256=5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9|SHA256=c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88|SHA256=bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63|SHA256=38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad|SHA256=65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377|SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35|SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24|SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008|SHA256=bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e|SHA256=df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858|SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8|SHA256=159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241|SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476|SHA256=cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183|SHA256=2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b|SHA256=033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7|SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff|SHA256=1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a|SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d|SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471|SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109|SHA256=368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1|SHA256=070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103|SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10|SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6|SHA256=f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e|SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097|SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457|SHA256=5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8|SHA256=a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804|SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35|SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272|SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39|SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd|SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e|SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94|SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db|SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797|SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71|SHA256=6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402|SHA256=2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e|SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf|SHA256=767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b|SHA256=dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa|SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573|SHA256=797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd|SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52|SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b|SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5|SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00|SHA256=d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1|SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9|SHA256=572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4|SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9|SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a|SHA256=91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4|SHA256=5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444|SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b|SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47|SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303|SHA256=40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59|SHA256=7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed|SHA256=6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388|SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015|SHA256=775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9|SHA256=125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe|SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c|SHA256=08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208|SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0|SHA256=e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc|SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43|SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578|SHA256=1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441|SHA256=dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4|SHA256=17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d|SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099|SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2|SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880|SHA256=db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836|SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282|SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e|SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab|SHA256=7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0|SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec|SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0|SHA256=3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645|SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59|SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf|SHA256=07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88|SHA256=423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5|SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b|SHA256=ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33|SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a|SHA256=270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc|SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab|SHA256=fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879|SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe|SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427|SHA256=7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f|SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9|SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c|SHA256=d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8|SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4|SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3|SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69|SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097|SHA256=4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28|SHA256=1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590|SHA256=defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd|SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b|SHA256=d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb|SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374|SHA256=e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe|SHA256=a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0|SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84|SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd|SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7|SHA256=bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53|SHA256=84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51|SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993|SHA256=e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295|SHA256=d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e|SHA256=0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f|SHA256=0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49|SHA256=13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44|SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8|SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805|SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a|SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c|SHA256=c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73|SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38|SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0|SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506|SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3|SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3|SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921|SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e|SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a|SHA256=e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65|SHA256=8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65|SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9|SHA256=eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f|SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2|SHA256=bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f|SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2|SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499|SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445|SHA256=31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5|SHA256=e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f|SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3|SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8|SHA256=66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea|SHA256=d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a|SHA256=a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec|SHA256=8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040|SHA256=748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d|SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56|SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e|SHA256=1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f|SHA256=d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4|SHA256=019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f|SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782|SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56|SHA256=cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461|SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb|SHA256=07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8|SHA256=43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee|SHA256=dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b|SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280|SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d|SHA256=a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1|SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e|SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461|SHA256=13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9|SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57|SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c|SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5|SHA256=9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a|SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247|SHA256=d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3|SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1|SHA256=1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486|SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4|SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f|SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1|SHA256=386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8|SHA256=163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065|SHA256=e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822|SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06|SHA256=003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4|SHA256=d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568|SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40|SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890|SHA256=d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23|SHA256=3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76|SHA256=e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63|SHA256=00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd|SHA256=707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0|SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4|SHA256=b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44|SHA256=b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d|SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3|SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def|SHA256=793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5|SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250|SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40|SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe|SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b|SHA256=7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a|SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4|SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036|SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5|IMPHASH=88e21ed9e717781eaf87209acbdbb567|IMPHASH=481d7bb63a8e5eaba756137e6ef22e54|IMPHASH=cef6a450f196b28e634aa3c0655d8eda|IMPHASH=0e0722c16a5ded199f64b26fccd2115a|IMPHASH=f0cd7cce1d03cf9df1b8266701f92b46|IMPHASH=cc88330f6dca52a40e258f689d3e2db4|IMPHASH=835e364e2175338d970c2aaee365f3dc|IMPHASH=82e75304c5b7ed87121b8b89c82f2389|IMPHASH=9470f56376e665fb981a35b303436041|IMPHASH=37b1eada43ad08093dfa4de7a411d15f|IMPHASH=a2d936fa82b7340d28a697fb344046d8|IMPHASH=16b23f4c6ea47d01340a2cce4bf613f7|IMPHASH=32b632f6379bfaac9f4f3a030a694f55|IMPHASH=052280a42374b8d779c10cd0d8118691|IMPHASH=540992ba6f31301ba27604515a78ad79|IMPHASH=a5fd3b0143c8db98017ec1b2b2528360|IMPHASH=1e13511288689b63b2e1348bf5eb567b|IMPHASH=dd406d43857d7f5ad1b0aec04fdb7e5f|IMPHASH=cf1a39b9408348cddaa4a2827283534c|IMPHASH=0dcd262801389f839ce909cb173448e2|IMPHASH=9e15ce38f071c916bea830247f1241bb|IMPHASH=5716c52252afe18d09f6c1bc6e5ef3ef|IMPHASH=ecf8495ba751a7e38d6be4c5c80f2bef|IMPHASH=f475387e3959dbea86854d61602db136|IMPHASH=98dc1b41bda471f7eabdce8a5d16c09d|IMPHASH=8b7e7c20da6ca9ac4bdb3927fe2b266a|IMPHASH=14075e605bff546182d682f41afefea2|IMPHASH=b8302791cd2edfe6dd562c4854ea495f|IMPHASH=a1d29a3af6402793ec9d23883512938a|IMPHASH=aa01c534155ce919d797860feb531eae|IMPHASH=ebb99842fa08915eb8b7f67d8dc7a13a|IMPHASH=89f3f52b23bdf03bd2bb7eb3cfab8817|IMPHASH=8605f70bcc472025c2e78082388ed00b|IMPHASH=27365d8741d23e179699f1f11a619c7d|IMPHASH=dc0a0f2d424a59b4d17033f58f01b027|IMPHASH=48e2ef3c2d32ecca62510d90e12b6632|IMPHASH=a793af44219650b4dd07d8a19ede33f1|IMPHASH=5f4063ab963abff76d0d83d239697e36|IMPHASH=7716b766e630388f64de1961719be3d4|IMPHASH=8ed3fbdefcc1982cd7decc40ace9d2e7|IMPHASH=6e796fd10b55f58fd0ec9f122a14e918|IMPHASH=2d7766896629499b1484227afaf43dd7|IMPHASH=0579e15c488a56c544e8fac130d826ba|IMPHASH=e1d88d0526dfa369c3661355dbd8773d|IMPHASH=8ec78cf864273fd81203678b61c41f04|IMPHASH=ff605557fd515d7ab30ff41dbd8bd24a|IMPHASH=234f0978e7f2aa0beb9501ff53d94e5b|IMPHASH=77d6a7153b3015318622b793227fb394|IMPHASH=6c42ea981bc29a7e2ed56d297e0b56dc|IMPHASH=23eb5ffc060c6c52546d38e2b63019bd|IMPHASH=ee9cc2f584c2f06fbff67d484adcf426|IMPHASH=d6dc99d60798b2647006ddba21671160|IMPHASH=1427c5f0f4fb100e26a3911f8209504b|IMPHASH=a095f31019d7a32d0a0507879a1822b1|IMPHASH=b8a35d469bc164d86ac7c64e93b0037b|IMPHASH=0e9dfd08346bbe128159bff440d13389|IMPHASH=bd607d71fdc1444aa96dc431591c5c44|IMPHASH=f4b8d579fbdb32eabd01954394f5bf3a|IMPHASH=edc2197e927392567cf09f7de410b5bb|IMPHASH=7fb9382c0d754d5aac897d7a3e72b10c|IMPHASH=1422b8d354b95d9cd880c8726df45dfc|IMPHASH=0c959096cf4b3180530cc7865ef29157|IMPHASH=aca7bbc6be02770c50b07eb6f94d1d78|IMPHASH=3f4c9025125027e307b7e52dd577303b|IMPHASH=68062e8b9d3c1e6cc62a9cae16a12b81|IMPHASH=228bac53e82887d1ed92f51a667a8231|IMPHASH=8919b7bae28d98c4a9e5967c9c55ce70|IMPHASH=7e798c3abcbd0f1cfa8b2b9688e01936|IMPHASH=8add42784f4693f421d85a2bcbadc620|IMPHASH=fbcdb079e9c13a82f98b79bb6ce86175|IMPHASH=a94892b77a6474429b9f692d9952a9d5|IMPHASH=aa03d5a319bc221875846e19e01276f7|IMPHASH=26150d69f50aa9247c3f3f17521d18a2|IMPHASH=beb40a1e9d5c89308d1c56958ddac27d|IMPHASH=59b3f3fa2775e407721c2491ddb2890b|IMPHASH=c314c92b5c25c6f4323e3efaf8bde47a|IMPHASH=d8752c1d5954bea175ac00df5acebb09|IMPHASH=54e54063abbf1edaa9cf9ed8a18916d6|IMPHASH=4aaef0105216f062a5f3ee071a72770c|IMPHASH=67f975f0734a5b0598223fbe00b3367e|IMPHASH=175c5711f3c49a0d929e9e2314b21c6b|IMPHASH=12befc0a82dcb0585359d335ed47af19|IMPHASH=24b344cd341f8b20003ac85be08df979|IMPHASH=08c7f29f5cb29ba70e49879da2e8ddce|IMPHASH=fc9c0ba924e7f104eda5254aaeacc5e8|IMPHASH=5192bc7311bdeb1f3977bdc0d2e943e4|IMPHASH=7363079b9aae7d58bd33c691a613c83c|IMPHASH=e2c63196ed5368f03dabed73b1ff3409|IMPHASH=8211bd4f00a3d9928a11a6ac3329fc46|IMPHASH=2699b7ae36fcadd71425ebafd231d0d1|IMPHASH=8d2a933d039e8b8134ef41236d5ea843|IMPHASH=cc335217d6f7ab7a53dcfa55cbda5fb0|IMPHASH=f9141c3df8f7ec7b3f2d46265a3b5528|IMPHASH=e0813a780309a0af84b605d95bd194e4|IMPHASH=e5fd4339e7b94543b16624a27ba1c872|IMPHASH=fffbca93e6322995552b841c7d65b033|IMPHASH=105b74485670215ab231a942c9101ccf|IMPHASH=74081c86ad3e9771011f162c107927de|IMPHASH=2df11474daf362b1b2fa3d3a89b6acbe|IMPHASH=22a9d7a42282b48c566b4423363d3a3e|IMPHASH=4fbdc03e4487f98fb59360ea5b3e640d|IMPHASH=b262e8d078ede007ebd0aa71b9152863|IMPHASH=abbab73b191d90dc642cbbc1f31d750d|IMPHASH=a5b3ea8c2012c517c472ad6befd37134|IMPHASH=9d7183c1d8107495354c4fad9dae3452|IMPHASH=7d004bbe0f546a91c93562d324307fa7|IMPHASH=b84820037d6a51ba108e0e81ce01db0b|IMPHASH=68b717fa2ab9431cd176776363359d48|IMPHASH=b0356152212dc6e33752847235064fb0|IMPHASH=baa420e9d4e3baf0d65d4fc2bf497708|IMPHASH=85fd19df117fbc21efbcb1d587063e12|IMPHASH=8122311437457ccae22578e301c6a17d|IMPHASH=f939ef0b7f792672866386600f82aa04|IMPHASH=d7de998e454f947f62d4a6b66490563b|IMPHASH=17a9b50297a2334d8e9dfc3411bbe8ab|IMPHASH=6816dabcee7b7d027bfbb93a16297afa|IMPHASH=6723b1d5bd0f1fc13216cb44541e619e|IMPHASH=71e84092e69114f0792419cb8b2b0fd1|IMPHASH=9c8c681f74950997cd571fd838a847b8|IMPHASH=95fe5e937e5acf9bea948fe0256e46ae|IMPHASH=fc789f89340a45f1ab6c49e61b1f6b40|IMPHASH=b8d0a36d2b14d79dfa08fb2e121f0920|IMPHASH=6ce93eab57a73915ecd5c202a339f6ce|IMPHASH=59b168c8ba0db46cb70d1d5a103e6c41|IMPHASH=3edc60bda68569cac7ad7604728ff40d|IMPHASH=3e8e7e5e779c7064e6bab177167e9e7a|IMPHASH=b05ee5c816a30bc52378c759486af0b9|IMPHASH=f7d07bcaa23837d219dcb64e76290252|IMPHASH=d658b06ec1ce39670b02a2dd83e29d03|IMPHASH=11bfcbdb0787ef461d442f973c392cf6|IMPHASH=f531646e31cc12dfaac5b8352653c384|IMPHASH=9b3ad85a76080f989d24cd89da90175a|IMPHASH=5f6fd4ffba177389f414dd1a6ded24b4|IMPHASH=4b0b017b23567cf8b9e1268957acd032|IMPHASH=b4a71a1265f5f82cf383af17e229acb5|IMPHASH=0ebf1214948a636eba076b14cd8f72d5|IMPHASH=c05e71aad32edcbe71ae0ef1621f8693|IMPHASH=427cd9c70cca88ca1db61a5ddc3b8450|IMPHASH=236bc37dff7a92a4d25d807cf038e674|IMPHASH=e38cca61999fb8a0308c0eb798b07989|IMPHASH=3815f9107b799b863cd905178e6e07d0|IMPHASH=3c91d549b68e320924bcde3856993e87|IMPHASH=bb56f25a810b329868a0ff8e94080bad|IMPHASH=f5030145594c486434040aa2636a5dde|IMPHASH=d8101af81fd826b492ced1994ebd3268|IMPHASH=b5967a61e1a4e1d57b3d8ffefc5721ed|IMPHASH=799c9c020c6fcfd11a4172bc861f74af|IMPHASH=2b9471e7bb8c05dc55d0a2ff0591ea98|IMPHASH=6a47c957830ccce7ef43ed96aacf7c2c|IMPHASH=b1e749ba779687a5127817da3d47af2c|IMPHASH=202a0f2f992ec379e2876776ae9de661|IMPHASH=f5df2479285c7b593b3630b8357032e3|IMPHASH=32204eaf2afa5b348ab17de07362885c|IMPHASH=1de2e6e58f6b19c4ec9ad6ca9fce5c14|IMPHASH=64d934652c680b7759f6e75d05ee3072|IMPHASH=176d8e75a27a45e2c6f5d4cceca4d869|IMPHASH=f0820e8f674e44e5c2a3f899ec561c1d|IMPHASH=f4fa225abfb5a5263241a01a2c3f2b8f|IMPHASH=a18b467c3b43f334ca455c495a3ef70d|IMPHASH=a8633e68c2ad9f3dc83775d8d5b21c5b|IMPHASH=9d5a58052468c8e07ff3d5bd730e5d00|IMPHASH=69260cce3156aa2dc0540fb78f5fe826|IMPHASH=b1336b0cb67918ed39f1f88c354910d0|IMPHASH=f119bff607049d431d0968fbaf6532f3|IMPHASH=c91146dfe120f6e8fbed2150d9e020ca|IMPHASH=1e6875beefe8571686d3e8530f8c4bfb|IMPHASH=acdf419d1d03923be256205b9c33eec8|IMPHASH=756adaea6a3f9f0cdaff73d1a49ca201|IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511|IMPHASH=6e7cd05c0da9f82449a8b3795418ee00|IMPHASH=8c3af6c25ab40c4daefb4f836d12e1c8|IMPHASH=4792bcb395d06f9efb72e8020c4af5e6|IMPHASH=d5bc15465b63888cc8b98ecc63a81517|IMPHASH=7f53340c91c108efedb5b8678c5207b3|IMPHASH=3f4a90b2976641ad2c0164792b24d322|IMPHASH=d221afaadf43ceedb581e665435c56c7|IMPHASH=f212bbc758bb52fc661839b1d194b76e|IMPHASH=e938b727f5a033818337f7ba0584500f|IMPHASH=3ac083b0ee2b752436a8a1532179f032|IMPHASH=2e9ef79ea88178e29516dfa435a58900|IMPHASH=24c3d3be20e794c17844d030be03fd2f|IMPHASH=700a9350ac8b218ab9fc62cf25337ad3|IMPHASH=e586fd1c5af87b43696b9d29b09bf1b1|IMPHASH=2233472cee6457ad207017803048aaff|IMPHASH=f046e37fa7914491dc25a6f7718da341|IMPHASH=683bc425e3d8c21f9473a238a0645a4e|IMPHASH=f08e2ac6ca73cd2a924ed25dc6813638|IMPHASH=e2306e26abfd90a5ce4dad0e266b3905|IMPHASH=10917aa77669c6ae714f074d89be9ab8|IMPHASH=db62897eb9d2098e988f830159c04c82|IMPHASH=51780bba04121d6be13f69de08721445|IMPHASH=29a2e15ac1622a3daf7da5a78f0cef08|IMPHASH=5988ec9f159fefbdf89d893aa634dd92|IMPHASH=05d3de62beab8e88de1dafd3b24a16f6|IMPHASH=88380fdfc880da4da407c38f34fe8a3c|IMPHASH=8a424cd36ae3eab0d11332ce3b982a02|IMPHASH=60a2fba979aaa0d0ccd09c12ca3d9e57|IMPHASH=85f86c7c8ce81a78e84efa545d7edc65|IMPHASH=9523103b30fb194643b97ccc3ab7abb0|IMPHASH=0c2219c9c5eab786fa876f74356eea20|IMPHASH=7abb0911ca4cc4697ee1e9897932d3ac|IMPHASH=c6a0f65ba653ee78255cc9e314abc442|IMPHASH=44e6f2f64092b48f8eb926c36ebd1d56|IMPHASH=13300d56528646611f26704266713952|IMPHASH=095c0cdb9c0421da216371c1f4e8790e|IMPHASH=45f8f347e3fb919f3164a4a3278f1c71|IMPHASH=0e4f5481813eeec4e5dd96e36020135f|IMPHASH=1d05fb30a58133da2e9dbdfcf51b80fd|IMPHASH=2561727ac42d399030b3c46477c428f4|IMPHASH=be69e763a6a858c3e7e1ea6e3af12691|IMPHASH=7fba20994f76fb31b9f5a2b3f0c00055|IMPHASH=1d9cdf46ff335712634c292180c06755|IMPHASH=ad4586d21c9469bf636b5e8660e9d702|IMPHASH=958dd67f866ae27cf716e30a025b266f|IMPHASH=1dd3b83f2b007f862a1d8de4a1d3303f|IMPHASH=b4c562c2c654abd2cc71658646314976|IMPHASH=679eba16ab2d51543b7007708838ef7c|IMPHASH=a1603fe7f02448c6b33687ddb9304c7f|IMPHASH=9e2cf28fe320bbf74972509536569c8e|IMPHASH=f233a65b937c69b447824889fb7425ff|IMPHASH=b3204707f6e489cd5a2484881eaf78ca|IMPHASH=c61a46ffe79d3f7d6307c0d2ae5f391e|IMPHASH=28c5045218461018dbde27212ab0f227|IMPHASH=af34db96db910a3fa7a56f2fac8ed5e1|IMPHASH=e80eeed7225a880bbde0d038a5fe1af4|IMPHASH=62473b41d695f075ad96abc4a408de5b|IMPHASH=56307b5227183c002e4231320a72b961|IMPHASH=dd7c5c0c762169d40ee01280e4ac74fc|IMPHASH=9915439d37f385dbffc72bf835f3ee02|IMPHASH=4199ed50502e00f57d9b66e9305450f5|IMPHASH=71c580daf556775f690f0af3db12506f|IMPHASH=c1ab6741cd29de98a138f2bd639f620a|IMPHASH=32247962aa01af8ad5dca696260a05ab|IMPHASH=1d774a94ad511efe5ebfe70acc6f8c85|IMPHASH=690a0fb27a0c47c785d6bbbfc2e56501|IMPHASH=78727a5fac8bd281903014ee00dcd553|IMPHASH=f5ebade1d3a6d3bde264b0c7f9f639e7|IMPHASH=4343c9c0b78ee21e895f10d929c240d4|IMPHASH=f510a429c6ce5c8d414550518b3823d2|IMPHASH=45acfe4a83f61d872fb904a1f08ef991|IMPHASH=cbf26c6e8cf7e294bda273e7026a2789|IMPHASH=84d83741445d9f5a6717b874fed3d8f3|IMPHASH=0b40636205c64cacfd2e4f407518ad58|IMPHASH=b4627789883457d50964a248104cb4c2|IMPHASH=a7ff164c1ee5113a0a09e66b2cd03544|IMPHASH=a0a13575e37906924a0b79043b4005c6|IMPHASH=955e7b12a8fa06444c68e54026c45de1|IMPHASH=8f52e36711c80bb9d7e30995e0092e83|IMPHASH=05fbe4619edf747787879d9323951439|IMPHASH=865c945f842a3f5f5453fb90d12f6765|IMPHASH=89f925b54b95944513671d79eba5fe07|IMPHASH=f4c5b0399665885a7dd34f7cdbbc586f|IMPHASH=2ece23bdef16ee294bd905c7ba1be589|IMPHASH=e800cd3299d4cda0d9e02255acc3b7dd|IMPHASH=a86fb9a41955bda815ab902fb58baa27|IMPHASH=2f7ea575cf15da16c8f117eee37046d8|IMPHASH=223a76f59831e1a59980b603f81c271d|IMPHASH=c17c0bd619c1e188ffe27bd328dd7d08|IMPHASH=1429d5c551f71d3ce6a7cc54c9348e95|IMPHASH=3552d8a0022e7f3136b667e6d1e402f2|IMPHASH=67d92a28cd2923a923adf7fd958905d8|IMPHASH=3c9af2347198d96c8ab5b189b4e3db37|IMPHASH=f43aa654b4bfb882a0af098ad3f899e9|IMPHASH=518e77c070ae21af7c558962cd1854a3|IMPHASH=8e96d1a56746c6f6f30f1a0963ce2f26|IMPHASH=b19743993dc7f1d48b2a86fe9b9c91e3|IMPHASH=acd1b0130287133223d26c91f27f6899|IMPHASH=82942c060f79cefd3bf1acdf5c207561|IMPHASH=bc5c06a7fa9555f3f34043d828d9b123|IMPHASH=ccdeab2a83fbf2fef2e418cccd133ec1|IMPHASH=2424cf613f90884493009dd6bee95693|IMPHASH=5c77661ac2951da388949d9a834eb694|IMPHASH=2a20cc9578bb34a4bb10b87b49b24982|IMPHASH=3ee1cb6085fbe05e46e2b88493426848|IMPHASH=cb876abd8c6ca8a47d50aec4a520a020|IMPHASH=80ae2342fd6c7f5e1c642918e33dafb1|IMPHASH=aa274f6b4b15691fd725d7044f98bf36|IMPHASH=5e4c9e685f9b7d77c90ff710972bb7dd|IMPHASH=4fb06df8cb54846e42943f0d3ae96e2f|IMPHASH=74cc5d779ee7dbc9f389bab9dcccac50|IMPHASH=0707fe3c02c8d2a4d6219bd0596d76f3|IMPHASH=7863a0f25a0647ed7d52641222bd709a|IMPHASH=75018719e85e67b75e73c57d682dbcbf|IMPHASH=e08b2d7c450761f01ec9ed4ef0ca56a4|IMPHASH=2263350df91a5a4f5e10e68b3b822029|IMPHASH=6f0b9814da4da038669c47e77c2f268f|IMPHASH=9fb64527ca6d4541cc256b1abd1e4101|IMPHASH=27db67ffa112f866f1d34c32226e09cf|IMPHASH=5bb79a6caa12076a6d140085cb53892e|IMPHASH=d169b0949781ca2a6efea5a106266a02|IMPHASH=5a50a9a44f5d36af5df1bde995d22e42|IMPHASH=626c8ecbc636968157d73f18ac315926|IMPHASH=f12ae9073d95c22ed89247253d59f500|IMPHASH=44cbd2ee295f1a35795eb4cd7cdd0864|IMPHASH=840e656bdb2987fa422092ec9d588895|IMPHASH=d57ef6278dcd7049063e8fb6ade9effc|IMPHASH=392aa6863da8d7c14ad7386026e93b58|IMPHASH=5662b51943d85b7ca47a99cac81af985|IMPHASH=8418ac0d7aaa9015794e55ea54733342|IMPHASH=163436e69f8e582bdc1c1e6f735de23b|IMPHASH=24e4c876bb5db0b0e0a4e92f0a3d3a48|IMPHASH=3198fc43051f03c6c71587dbf232f75c|IMPHASH=9321f9c47129fbc728ead2710e22f1a5|IMPHASH=1a0d0d460994cfde55ee908d62330ee0|IMPHASH=82f5b92ccd99d13f4dd6ed6aaf0441bc|IMPHASH=634f3c43b014dc8845b086c9328a678c|IMPHASH=81acb4bb89ef49c4e7f30513b4750e53|IMPHASH=d61d30746681d0fda9bfd9e8af061b2a|IMPHASH=7453e39bd87c63550451ba2fa354dd8e|IMPHASH=bb437241f56020db0fcbf8f8629bdb07|IMPHASH=1e8ee6407390a2d52051bec21c771fdb|IMPHASH=7c24141cdcfc23f5eb0e2b6792d80740|IMPHASH=a7f2c2e8e9d6c90e28819d1a3ab84bc8|IMPHASH=1b0788bb68804273159b8ace9cba7ea3|IMPHASH=9521d8684357766840dbcac2b4cee67d|IMPHASH=b4c2607b2af5376910bf80b561e9a18a|IMPHASH=f138fdbc6c7fbf73e135717c7d7eac27|IMPHASH=82525a4a571f0f8d4e4f42ec6bb3900e|IMPHASH=8bbc742eaed888736a715757f0584fb6|IMPHASH=be527e5f470fbc661f914c81bfc9af38|IMPHASH=ad374977f06fefefbb9c77155f7a0733|IMPHASH=111e6d92e02f02f737654c5b1cfe9f6f|IMPHASH=31907ffcac211e27136b14bb2f442070|IMPHASH=60e068470635cf20cc19b7f8e8cbfc5f|IMPHASH=8a5edbe5251fe141ea0262d5d572178b|IMPHASH=0265c50548889ffd5c2d3a2539885efe|IMPHASH=9376f1c4ab79240cc948b77bf9e8814b|IMPHASH=82b2288ac7f842e42de15c5bc96f1772|IMPHASH=317f02ddc9809d608a9bf63ce24e9550|IMPHASH=65abf5c92cc2239f2dc9d589458569c9|IMPHASH=12fef92a55cb5e1533b89d8e6a5892b2|IMPHASH=fd133033a24971502ff0b2f189215c56|IMPHASH=050d389675730da0d9d75367659cd53b|IMPHASH=c590cbf2d6cbf206a2e47e8ed91dd944|IMPHASH=505e0a016962137ca6169bce64ba2f53|IMPHASH=02a27dc9a48b694b7df4b821eb65178c|IMPHASH=bfe13c695e41d3eee414d3929b1bd523|IMPHASH=5095ddaed3abc22c1510a141d72735cc|IMPHASH=8f96c3ef5dda3fe697d4a4d6326dbe37|IMPHASH=e1ecbd956bd016618b07e7dddcaf6e60|IMPHASH=07a42e80559d960b176c0fc8fd309bfe|IMPHASH=f86759bb4de4320918615dc06e998a39|IMPHASH=c9f08d92efe88afb2545eb82a8870233|IMPHASH=6b867dee14a77d0ada8ccad99b16291e|IMPHASH=744af2b62301859b4ccdffba53551b15|IMPHASH=ec5ee9a38e54ed3d4a6e6545672cb651|IMPHASH=c3c9e6c0c33bad17eb055ec795fc113e|IMPHASH=31a3c2c72c9a565dc4ba75ef26677569|IMPHASH=7bc998aaa9fe4b4fd5e133554f42d913|IMPHASH=bb981f82c2bfc3c22471df92d9d0fb89|IMPHASH=ad34ea17f90a34f6f84a399a96383ada|IMPHASH=30c0ed518c03fa46fa0bfe76f2db0e42|IMPHASH=587191d77c08023e6e95463153e45463|IMPHASH=c83f076c00d2b0a6ba9dc82f56a97631|IMPHASH=cb8db41ab8c06472574e58b9466f4070|IMPHASH=391ffad95759bc4bac2b737d0d0eaa84|IMPHASH=c52384bc825d2414de3195672971339e|IMPHASH=b0e74761cced2dde5173ae05ec562085|IMPHASH=4bd0bd7710a7f71d38f056241c8ce0a7|IMPHASH=ad0cdf3bab32983050527655bce40f96|IMPHASH=e1a5435877b427be967867a25b1d263e|IMPHASH=61b719638eacc2c5ca299805d4819e69|IMPHASH=7687d0eba49315582228ef660f61b471|IMPHASH=e7cbb1ce75bfc69f53855066a936042d|IMPHASH=bc44fdc145156a15d0a803d18877b218|IMPHASH=d5e7fc56a905088dbc79b8e27b98faea|IMPHASH=3702511999371bac8982d01820dd70f2|IMPHASH=d14ea0e632fc8485d77e7eba3c4d4537|IMPHASH=2e7d3b001306473cbff3d0dc11a6fcbc|IMPHASH=e717a2158439123c6fca79b6b2c0ba49|IMPHASH=6736c04d5ff512e5e2eb608414276513|IMPHASH=225e24ee3c4081a16ef32831b70bf8ef|IMPHASH=48028b3b694466c1c0eb1d91ef5c02cb|IMPHASH=37f7c6238c9ce110408e01ae1bc45635|IMPHASH=b95bc1a99081d695b1c0b37b90a4a0be|IMPHASH=78eaf4d62617f6b614d318cc70c6548a|IMPHASH=55db306bc2be3ff71a6b91fd9db051b8|IMPHASH=021fd02a8adad420116496b6f2759960|IMPHASH=b3e26c5e0de2d01597dca208ef27cc38|IMPHASH=67affe6126c1d4a774b2504061c96a2e|IMPHASH=656ad5c2eac95f75d3fe6d5ca59e0d8d|IMPHASH=5ea78a193212fe61ac722f45f0b0eab9|IMPHASH=77ec8b2c372741f12098f084a13a56a8|IMPHASH=f27327907e57c0c2c9fddc68eab2eb7b|IMPHASH=b679ac08daf4b4ce8a58d85a8e0904ac|IMPHASH=f2c2ee1ff03c54f384f4eee8c2533107|IMPHASH=c12f7aec6ebe84a8390c82720adfc237|IMPHASH=0a8eeabf5981efb2116244785cb03900|IMPHASH=7f8c74638fcf297f8216aa5b184f61d6|IMPHASH=d41fa95d4642dc981f10de36f4dc8cd7|IMPHASH=8d616e68080def2200312de80392efa7|IMPHASH=cde9174249f04dad0f79890c976c0792|IMPHASH=858ceae385cdcfcbc7814644564c23e6|IMPHASH=d232ae5bad7ce02f4eece90ef370c7a0|IMPHASH=c7f08aed5725fe6a53a62ebe354ff135|IMPHASH=cc81a908891587ccac8059435eda4c66|IMPHASH=bd4f9a93da2bb4b5f6e90d4f9381661c|IMPHASH=01aa65221a48929f0a34a27c4e3011b1|IMPHASH=409d2ab916237fb129c57aacbb7cb4fe|IMPHASH=65181bc89a1c2b5854548236269846c1|IMPHASH=787e32b3fd816479fb93f9af0b6d0da3|IMPHASH=8e89024d2c0ef0451c12b956a2b55b91|IMPHASH=0cba56fa162378bc4ee09e94a4e2fe33|IMPHASH=b7a0100fe60d7a8263da64820f7d0120|IMPHASH=d16f507665603095c26147a7adcb93b8|IMPHASH=0b663530751cc11f34273fee7921c431|IMPHASH=604b5bd94f1892fd9e9025ef7a2bbe54|IMPHASH=cb8397a3262c80b558aff93ab75b6a7b|IMPHASH=d6c920c10d4d0f92f0ac14c3fefed233|IMPHASH=9fd359d308a1e93106189b4ebd945855|IMPHASH=c94e5ad0f33374535392364a5a193253|IMPHASH=751c6b5c201f8c52f5512350cad88ddc|IMPHASH=eac62dd0c27ed557fa4b641fa4050d04|IMPHASH=506a31d768aec26b297c45b50026c820|IMPHASH=60805da513b95c3d18a93b988bdfb58f|IMPHASH=3aa0ceb8fcd07cf2514d1cb0b9bccf4b|IMPHASH=c1579e4266fbdc47a5abc493a2d9d597|IMPHASH=adfd4c0b031598afecb6f3f585f5f581|IMPHASH=7a286ef4179598007a8afe9e5af95a48|IMPHASH=c7912c850407aa93c979d95c4f593507|IMPHASH=bec5dc89f030df7a96d19483fad4cc0a|IMPHASH=b91054cdc4c8b3169cfe6c157f6d9f07|IMPHASH=d67b7c7501e5261df5e66b3219fa52ee|IMPHASH=b142d772a67c40535c8d8fabb6861748|IMPHASH=1957e33acbc826c69f452ae1d1b89ac9|IMPHASH=7a4a0df0bde1f8da6547a580d5bee7c3|IMPHASH=085a78615099ffefa2df0a31da3058d8|IMPHASH=e804d4ee2c20f3eb1d3c955e38a2fe11|IMPHASH=6f2d756d22c285a46206de3bfde6c79d|IMPHASH=071356ee9d8c7f91cbe8fa3c448286a2|IMPHASH=ebf30b4cd57a4f4548a03eab0f6c418c|IMPHASH=08ab07a2bc35aea02cd6d1efbb954cb3|IMPHASH=cb15f8046e159c17b0510738fa18f758|IMPHASH=07a513d1599c93bd34f01323b1ef7430|IMPHASH=2430f988dcdc3828f6079e1e2cc71dc8|IMPHASH=8b41eacbfbe5f5348579e27d30767e74|IMPHASH=afee876e89b51e2cc7c91353fb588fe6|IMPHASH=e11e41c95c1872ac3ebbd7768b16cf9e|IMPHASH=e9077c03c44a511c2c8eaf5bad9ab90b|IMPHASH=d6d76f43ccc3872b879b0df583364c78|IMPHASH=62dbb90b4be9282d52aff9ae1a101d6b|IMPHASH=3ec1e7e215efad2711248558465da9ad|IMPHASH=96f270be3f73ec3fc2f2237fe84efca0|IMPHASH=9ad5f7496f8c918d6c0536751d3accae|IMPHASH=b1ed268dfdf4f39960971eb5822a4755|IMPHASH=4c0161f638d5acafe23fcee3c5e86f15|IMPHASH=9928d53dbe860aba1b7c891831680629|IMPHASH=d122c1eaa50839be14c31876d0d4e0be|IMPHASH=8f4588156ea7d9af8e4c162ce4c3ff23|IMPHASH=abdaca21ab5c831000b0aa4b8f357716|IMPHASH=0555907292d07d9f78205416eb1924d3|IMPHASH=832f0fb3579a07b1c4bec82b4478306b|IMPHASH=340e874a1ca966e45fc2a314ef228cce|IMPHASH=b35d1d3faa6c97b106b343823d5df867|IMPHASH=7e1327419d10a7eeece5579526f75d9f|IMPHASH=084b99aebda8a13e4f774a2ced272e85|IMPHASH=81ba5280406320ce6f03a9817d7d6035|IMPHASH=e4f1a9234e4ea105321909d4c0e597ae|IMPHASH=68a12eb3f32f7e193bd0d722ea6be4ab|IMPHASH=c3fd2e688276a184b2528ee590054e5a|IMPHASH=531d2392dbdd314fb1d9318fe9e5c4d2|IMPHASH=29a1da8841f5363423dcba1a9773809a|IMPHASH=9fc4a96d982ebfd6b9d87c0f3ebef681|IMPHASH=304c4fcf70cfc8299a3b6eed8e7bbb31|IMPHASH=3415f704b3149ea9a3d3a54036b208dd|IMPHASH=7cf815757705e26b809574488ed56d0e|IMPHASH=28d780857f0f6616f938aca3a38b5072|IMPHASH=235102691b04f562ae8aa7ece38d8bc9|IMPHASH=262d8fbbf1f514399bb3f230cddc12af|IMPHASH=0f3ddbe229201f6fa9a3dbbaf842a556|IMPHASH=bd093a7d5ba5632ee52f3466a688ee55|IMPHASH=a9e22f5e8f4965960716d94ba7639c9f|IMPHASH=528ac7a1e034801d1f20238971c6ec19|IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4|IMPHASH=7c8c655791b5c853e45aa174e5cc1333|IMPHASH=a53b095a8d7366075d445892070cde51|IMPHASH=f079f8637a1d4fe2fb93af2a267b68ef|IMPHASH=0ebd5902a82ddfef8ed96678c1573a7b|IMPHASH=9a970527986cd03e5a25d18b372624a1|IMPHASH=87fde0c3f8e7dff7ab0d718d6b1252c8|IMPHASH=959dce366573a7aae10b74a08931722a|IMPHASH=fce118020e70919e5c8c629687f89e56|IMPHASH=86682585c620fa85096a7bedaf990cd1|IMPHASH=5f9cf5b0511f3c1129b467d273b921f2|IMPHASH=543f80399f79401471523d335ea61642|IMPHASH=3ca448454c33a5c72ad5e774de47930a|IMPHASH=51ecd9b363fde1f003f4b4f20c874b1b|IMPHASH=1f2627fc453dc35031a9502372bd3549|IMPHASH=2cf48a541dc193e91bb2a831adcf278e|IMPHASH=805e4a267f9495e7c0c430d92b78f8bd|IMPHASH=92caaf6ebb43bbe61f3da8526172f776|IMPHASH=421730c2b3fa3a7d78c2eda3da1be6a8|IMPHASH=aa54fa0523f677e56d6d8199e5e18732|IMPHASH=8ee2435c62b02fe0372cde028be489cb|IMPHASH=50b6a9c4df6d0c9f517c804ad1307d7c|IMPHASH=037b9d19995faadf69a2ce134473e346|IMPHASH=2c19472843b56c67efb80d8c447f3cfe|IMPHASH=a74f61fdcea718cb9579907b2caf54ab|IMPHASH=84d45ee8df6f63b5af419d89003a97bc|IMPHASH=69dbb4c8bbe4d8c2e1493f82170b93c4|IMPHASH=6903b92e7760c5d7f7c181b64eb13176|IMPHASH=d6f977640d4810a784d152e4d3c63a6b|IMPHASH=473c3773ca11aa7371dbf350919c5724|IMPHASH=87842ffa59724bda8389394bcaeb5d73|IMPHASH=18502b56d9ea5dea7f9d31ef85db31d5|IMPHASH=b6f67458e30912358144df4adf5264fd|IMPHASH=a49a51d7f2ae972483961eb64d17888e|IMPHASH=81e2eb25e24938b90806de865630a2b2|IMPHASH=96861132665e8d66c0a91e6c02cc6639|IMPHASH=69163e5596280d3319375c9bcd4b5da1|IMPHASH=4946030efb34ab167180563899d5eb27|IMPHASH=4c304943af1b07b15a5efa80f17d9b89|IMPHASH=821d74031d3f625bcbd0df08b70f1e77|IMPHASH=1bef18e9dda6f1e7bbf7eb76e9ccf16b|IMPHASH=21f58b1f2de6ad0e9c019da7a4e7317b|IMPHASH=91387ac37086b9b519f945b58095f38d|IMPHASH=dcd41632f0ad9683e5c9c7cc083f78f7|IMPHASH=ced7ea67fdf3d89a48849e0062278f7d|IMPHASH=5713a0c2b363c49706fa0e60151511a8|IMPHASH=089e8a8f2bb007852c63b64e66430293|IMPHASH=383be1d728b0be96be1b810a131705ee|IMPHASH=3d42ff70269b824dd9d4a8cb905669f9|IMPHASH=363922cc73591e60f2af113182414230|IMPHASH=fa084cdc36f03f1aeddaa3450e2781b1|IMPHASH=3c61f9a38aaa7650fcd33b46e794d1bb|IMPHASH=42e3f2ffa29901e572f2df03cb872159|IMPHASH=4c5fc4519f1417f0630c3343aab7c9d2|IMPHASH=d5d40497d82daf7e44255ede810ce7a6|IMPHASH=91ee149529956a79a91eeb8c48f00b3d|IMPHASH=a387f215b4964a3ca2e3c92f235a6d1b|IMPHASH=ca6e77f472ebd5b2ade876e7c773bb57|IMPHASH=67bace81ce26ddf73732dd75cbd0c0f2|IMPHASH=18b8de84bd7aa83fec79d2c6aaf0a4f5|IMPHASH=519cf5394541bf5e2869edeec81521e1|IMPHASH=cae90f82e91b9a60af9a0e36c1f73be4|IMPHASH=643f4d79f35dddc9bb5cc04a0f0c18d3|IMPHASH=6b7d4c6283b9b951b7b2f47a0c5be8c7|IMPHASH=b4c857bd3a7b1d8125c0f62aec45401e|IMPHASH=49a12b06131d938e9dc40c693b88ba7f|IMPHASH=f74aa24adc713dbb957ccb18f3c16a71|IMPHASH=6faad89adbfc9d5448bb1bd12e7714cd|IMPHASH=5759d90322a7311eaccf4f0ab2c2a7c4|IMPHASH=8b6c1a09e11200591663b880a94a8d18|IMPHASH=eade2a2576f329e4971bf5044ab24ac7|IMPHASH=8b47d6faba90b5c89e27f7119c987e1a|IMPHASH=4433528b0f664177546dd3e229f0daa5|IMPHASH=c0f234205c50cc713673353c9653eea1|IMPHASH=b4b90c1b054ebe273bff4b2fd6927990|IMPHASH=f2dc136141066311fddef65f7f417c44|IMPHASH=12a08688ec92616a8b639d85cc13a3ed|IMPHASH=296afaa5ea70bbd17135afcd04758148|IMPHASH=8232d2f79ce126e84cc044543ad82790|IMPHASH=e10e743d152cf62f219a7e9192fb533d|IMPHASH=e5af2438da6df2aa9750aa632c80cfa4|IMPHASH=3a4e0bc46866ca54459753f62c879b62|IMPHASH=10cb3185e13390f8931a50a131448cdf|IMPHASH=4fb27d2712ef4afdb67e0921d64a5f1e|IMPHASH=a96a02cf5f7896a9a9f045d1986bd83c|IMPHASH=fd894d394a8ca9abd74f7210ed931682|IMPHASH=ca07de87d444c1d2d10e16e9dcc2dc19|IMPHASH=1aa10b05dee9268d7ce87f5f56ea9ded|IMPHASH=485f7e86663d49c68c8b5f705d310f50|IMPHASH=5899e93373114ca9e458e906675132b7|IMPHASH=be2d638c3933fc3f5a96e539f9910c5f|IMPHASH=fbfa302bf7eb5d615d0968541ee49ce4|IMPHASH=f9b9487f25a2c1e08c02f391387c5323|IMPHASH=ef102e058f6b88af0d66d26236257706|IMPHASH=0f371a913e9fa3ba3a923718e489debb</field>
    </rule>
    <rule id="900428" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Vulnerable Driver Load By Name</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+panmonfltx64\.sys|\\+dbutil\.sys|\\+fairplaykd\.sys|\\+nvaudio\.sys|\\+superbmc\.sys|\\+bsmi\.sys|\\+smarteio64\.sys|\\+bwrsh\.sys|\\+agent64\.sys|\\+asmmap64\.sys|\\+dellbios\.sys|\\+chaos\-rootkit\.sys|\\+wcpu\.sys|\\+dh_kernel\.sys|\\+sbiosio64\.sys|\\+bw\.sys|\\+asrdrv102\.sys|\\+nt6\.sys|\\+mhyprot3\.sys|\\+winio64c\.sys|\\+asupio64\.sys|\\+blackbonedrv10\.sys|\\+d\.sys|\\+driver7\-x86\.sys|\\+sfdrvx32\.sys|\\+enetechio64\.sys|\\+gdrv\.sys|\\+sysinfodetectorx64\.sys|\\+fh\-ethercat_dio\.sys|\\+asromgdrv\.sys|\\+my\.sys|\\+dcprotect\.sys|\\+irec\.sys|\\+gedevdrv\.sys|\\+winio32a\.sys|\\+gvcidrv64\.sys|\\+winio32\.sys|\\+bs_hwmio64\.sys|\\+nstr\.sys|\\+inpoutx64\.sys|\\+hw\.sys|\\+winio64\.sys|\\+hpportiox64\.sys|\\+iobitunlocker\.sys|\\+b1\.sys|\\+aoddriver\.sys|\\+elbycdio\.sys|\\+protects\.sys|\\+kprocesshacker\.sys|\\+speedfan\.sys|\\+radhwmgr\.sys|\\+iscflashx64\.sys|\\+black\.sys|\\+b4\.sys|\\+hwos2ec10x64\.sys|\\+winflash64\.sys|\\+corsairllaccess64\.sys|\\+bs_i2cio\.sys|\\+d3\.sys|\\+windows\-xp\-64\.sys|\\+aswvmm\.sys|\\+bs_i2c64\.sys|\\+1\.sys|\\+nchgbios2x64\.sys|\\+cpuz141\.sys|\\+segwindrvx64\.sys|\\+tdeio64\.sys|\\+ntiolib\.sys|\\+gtckmdfbs\.sys|\\+iomap64\.sys|\\+avalueio\.sys|\\+semav6msr\.sys|\\+lgdcatcher\.sys|\\+b\.sys|\\+hwdetectng\.sys|\\+nt4\.sys|\\+tgsafe\.sys|\\+mydrivers\.sys|\\+eneio64\.sys|\\+procexp\.sys|\\+viragt64\.sys|\\+fpcie2com\.sys|\\+lenovodiagnosticsdriver\.sys|\\+cp2x72c\.sys|\\+kerneld\.amd64|\\+bs_def64\.sys|\\+piddrv\.sys|\\+amifldrv64\.sys|\\+cpuz_x64\.sys|\\+proxy32\.sys|\\+wsdkd\.sys|\\+t8\.sys|\\+ucorew64\.sys|\\+atszio\.sys|\\+lmiinfo\.sys|\\+80\.sys|\\+nt3\.sys|\\+ngiodriver\.sys|\\+lv561av\.sys|\\+gpcidrv64\.sys|\\+fd3b7234419fafc9bdd533f48896ed73_b816c5cd\.sys|\\+rtport\.sys|\\+full\.sys|\\+viragt\.sys|\\+fiddrv64\.sys|\\+cupfixerx64\.sys|\\+cpupress\.sys|\\+hwos2ec7x64\.sys|\\+driver7\-x86\-withoutdbg\.sys|\\+asrdrv10\.sys|\\+nvflsh64\.sys|\\+asrrapidstartdrv\.sys|\\+tmcomm\.sys|\\+wiseunlo\.sys|\\+rwdrv\.sys|\\+asio64\.sys|\\+nvoclock\.sys|\\+panio\.sys|\\+mtcbsv64\.sys|\\+amigendrv64\.sys|\\+capcom\.sys|\\+netflt\.sys|\\+phlashnt\.sys|\\+dbutil_2_3\.sys|\\+ni\.sys|\\+ntiolib_x64\.sys|\\+atszio64\.sys|\\+lgcoretemp\.sys|\\+lha\.sys|\\+phymem64\.sys|\\+dbutildrv2\.sys|\\+asrdrv103\.sys|\\+rtcore64\.sys|\\+bs_hwmio64_w10\.sys|\\+ene\.sys|\\+winio64b\.sys|\\+piddrv64\.sys|\\+directio32\.sys|\\+monitor_win10_x64\.sys|\\+nt5\.sys|\\+asrsmartconnectdrv\.sys|\\+rtif\.sys|\\+atillk64\.sys|\\+directio\.sys|\\+asribdrv\.sys|\\+kfeco11x64\.sys|\\+citmdrv_ia64\.sys|\\+sysdrv3s\.sys|\\+amp\.sys|\\+vboxdrv\.sys|\\+adv64drv\.sys|\\+hostnt\.sys|\\+phymem_ext64\.sys|\\+echo_driver\.sys|\\+winiodrv\.sys|\\+pdfwkrnl\.sys|\\+glckio2\.sys|\\+asrdrv106\.sys|\\+nscm\.sys|\\+bs_rcio64\.sys|\\+ncpl\.sys|\\+sandra\.sys|\\+fiddrv\.sys|\\+hwrwdrv\.sys|\\+mhyprot\.sys|\\+asrsetupdrv103\.sys|\\+iqvw64\.sys|\\+b3\.sys|\\+ssport\.sys|\\+bs_def\.sys|\\+computerz\.sys|\\+windows8\-10\-32\.sys|\\+nstrwsk\.sys|\\+lurker\.sys|\\+bsmemx64\.sys|\\+wyproxy64\.sys|\\+asio\.sys|\\+t3\.sys|\\+cpuz\.sys|\\+rtkio\.sys|\\+driver7\-x64\.sys|\\+netfilterdrv\.sys|\\+ioaccess\.sys|\\+testbone\.sys|\\+gameink\.sys|\\+kevp64\.sys|\\+mhyprot2\.sys|\\+se64a\.sys|\\+vboxusb\.sys|\\+windows7\-32\.sys|\\+vproeventmonitor\.sys|\\+winio64a\.sys|\\+asrdrv101\.sys|\\+netproxydriver\.sys|\\+elrawdsk\.sys|\\+zam64\.sys|\\+cg6kwin2k\.sys|\\+asupio\.sys|\\+stdcdrvws64\.sys|\\+81\.sys|\\+citmdrv_amd64\.sys|\\+amdryzenmasterdriver\.sys|\\+vmdrv\.sys|\\+sysinfo\.sys|\\+alsysio64\.sys|\\+directio64\.sys|\\+rzpnk\.sys|\\+amdpowerprofiler\.sys|\\+truesight\.sys|\\+wirwadrv\.sys|\\+phymemx64\.sys|\\+msio64\.sys|\\+sepdrv3_1\.sys|\\+gametersafe\.sys|\\+bs_rcio\.sys|\\+d4\.sys|\\+t\.sys|\\+eio\.sys|\\+nt2\.sys|\\+winring0\.sys|\\+physmem\.sys|\\+libnicm\.sys|\\+msio32\.sys|\\+asrautochkupddrv\.sys|\\+asio32\.sys|\\+etdsupp\.sys|\\+smep_namco\.sys|\\+bandai\.sys|\\+d2\.sys|\\+magdrvamd64\.sys|\\+nvflash\.sys|\\+goad\.sys|\\+proxy64\.sys|\\+amsdk\.sys|\\+kbdcap64\.sys|\\+vdbsv64\.sys|\\+pchunter\.sys|\\+sysconp\.sys|\\+dh_kernel_10\.sys|\\+msrhook\.sys|\\+bedaisy\.sys|\\+dcr\.sys|\\+panmonflt\.sys|\\+bsmixp64\.sys|\\+otipcibus\.sys|\\+fidpcidrv\.sys|\\+kfeco10x64\.sys|\\+asrdrv104\.sys|\\+c\.sys|\\+tdklib64\.sys|\\+bsmix64\.sys|\\+bs_flash64\.sys|\\+stdcdrv64\.sys|\\+naldrv\.sys|\\+ctiio64\.sys|\\+bwrs\.sys|\\+nicm\.sys|\\+winio32b\.sys|\\+paniox64\.sys|\\+ecsiodriverx64\.sys|\\+iomem64\.sys|\\+fidpcidrv64\.sys|\\+aswarpot\.sys|\\+bs_rciow1064\.sys|\\+asmio64\.sys|\\+openlibsys\.sys|\\+viraglt64\.sys|\\+dbk64\.sys|\\+t7\.sys|\\+atlaccess\.sys|\\+nbiolib_x64\.sys|\\+smep_capcom\.sys|\\+iqvw64e\.sys)$</field>
    </rule>
    <rule id="900429" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable HackSys Extreme Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+HEVD\.sys)$</field>
    </rule>
    <rule id="900430" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable HackSys Extreme Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5|IMPHASH=c46ea2e651fd5f7f716c8867c6d13594</field>
    </rule>
    <rule id="900431" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable HackSys Extreme Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)f26d0b110873a1c7d8c4f08fbeab89c5|c46ea2e651fd5f7f716c8867c6d13594</field>
    </rule>
    <rule id="900432" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable WinRing0 Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+WinRing0x64\.sys|\\+WinRing0\.sys|\\+WinRing0\.dll|\\+WinRing0x64\.dll|\\+winring00x64\.sys)$</field>
    </rule>
    <rule id="900433" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable WinRing0 Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7</field>
    </rule>
    <rule id="900434" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable WinRing0 Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)d41fa95d4642dc981f10de36f4dc8cd7</field>
    </rule>
    <rule id="900435" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1599.001</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>WinDivert Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+WinDivert\.sys|\\+WinDivert64\.sys|\\+NordDivert\.sys|\\+lingtiwfp\.sys|\\+eswfp\.sys</field>
    </rule>
    <rule id="900436" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1599.001</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>WinDivert Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=0604bb7cb4bb851e2168d5c7d9399087|IMPHASH=2e5f0e649d97f32b03c09e4686d0574f|IMPHASH=52f8aa269f69f0edad9e8fcdaedce276|IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76|IMPHASH=58623490691babe8330adc81cd04a663|IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b|IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96|IMPHASH=a1b2e245acd47e4a348e1a552a02859a|IMPHASH=2a5f85fe4609461c6339637594fa9b0a|IMPHASH=6b2c6f95233c2914d1d488ee27531acc|IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342|IMPHASH=d8a719865c448b1bd2ec241e46ac1c88|IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38|IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6|IMPHASH=a74929edfc3289895e3f2885278947ae|IMPHASH=a66b476c2d06c370f0a53b5537f2f11e|IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4|IMPHASH=c28cd6ccd83179e79dac132a553693d9</field>
    </rule>
    <rule id="900437" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1599.001</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>WinDivert Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)0604bb7cb4bb851e2168d5c7d9399087|2e5f0e649d97f32b03c09e4686d0574f|52f8aa269f69f0edad9e8fcdaedce276|c0e5d314da39dbf65a2dbff409cc2c76|58623490691babe8330adc81cd04a663|8ee39b48656e4d6b8459d7ba7da7438b|45ee545ae77e8d43fc70ede9efcd4c96|a1b2e245acd47e4a348e1a552a02859a|2a5f85fe4609461c6339637594fa9b0a|6b2c6f95233c2914d1d488ee27531acc|9f2fdd3f9ab922bbb0560a7df46f4342|d8a719865c448b1bd2ec241e46ac1c88|0ea54f8c9af4a2fe8367fa457f48ed38|9d519ae0a0864d6d6ae3f8b6c9c70af6|a74929edfc3289895e3f2885278947ae|a66b476c2d06c370f0a53b5537f2f11e|bdcd836a46bc2415773f6b5ea77a46e4|c28cd6ccd83179e79dac132a553693d9</field>
    </rule>
    <rule id="900438" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+Appdata\\+Local\\+Microsoft\\+Windows\\+WebCache\\+WebCacheV01\.dat)</field>
    </rule>
    <rule id="900439" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+cookies\.sqlite|release\\+key3\.db|release\\+key4\.db|release\\+logins\.json)</field>
    </rule>
    <rule id="900440" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Appdata\\+Local\\+Chrome\\+User\ Data\\+Default\\+Login\ Data|\\+AppData\\+Local\\+Google\\+Chrome\\+User\ Data\\+Default\\+Network\\+Cookies|\\+AppData\\+Local\\+Google\\+Chrome\\+User\ Data\\+Local\ State</field>
    </rule>
    <rule id="900441" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+SysWOW64\\+</field>
    </rule>
    <rule id="900442" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MpCopyAccelerator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
    </rule>
    <rule id="900443" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Credential Manager Access By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Credentials\\+|\\+AppData\\+Roaming\\+Microsoft\\+Credentials\\+|\\+AppData\\+Local\\+Microsoft\\+Vault\\+|\\+ProgramData\\+Microsoft\\+Vault\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="900444" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.004</id>
        </mitre>
        <description>Access To Windows DPAPI Master Keys By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Microsoft\\+Protect\\+S\-1\-5\-18\\+|\\+Microsoft\\+Protect\\+S\-1\-5\-21\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="900445" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1112</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Access To .Reg/.Hive Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.hive|\.reg)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="900446" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.004</id>
        </mitre>
        <description>Access To Windows Credential History File By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Protect\\+CREDHIST)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
    </rule>
    <rule id="900447" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Access To Potentially Sensitive Sysvol Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+sysvol\\+</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Policies\\+</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:audit\.csv|Files\.xml|GptTmpl\.inf|groups\.xml|Registry\.pol|Registry\.xml|scheduledtasks\.xml|scripts\.ini|services\.xml)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Windows\\+explorer\.exe)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Windows\\+system32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="900448" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1070.006</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>File Creation Date Changed to Another Year</description>
        <options>no_full_log</options>
        <group>file_change,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:2022)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:2022)</field>
    </rule>
    <rule id="900449" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1070.006</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>File Creation Date Changed to Another Year</description>
        <options>no_full_log</options>
        <group>file_change,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:2022)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:202)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:202)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+ProvTool\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+usocoreworker\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+USOPrivate\\+UpdateStore\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.temp)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.cab)$</field>
    </rule>
    <rule id="900450" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Unusual File Modification by dns.exe</description>
        <options>no_full_log</options>
        <group>file_change,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dns\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+dns\.log)$</field>
    </rule>
    <rule id="900451" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574</id>
            <id>cve.2021.1675</id>
        </mitre>
        <description>Potential PrintNightmare Exploitation Attempt</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+spool\\+drivers\\+x64\\+3\\+</field>
    </rule>
    <rule id="900452" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Backup Files Deleted</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wt\.exe|\\+rundll32\.exe|\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.VHD|\.bac|\.bak|\.wbcat|\.bkf|\.set|\.win|\.dsk)$</field>
    </rule>
    <rule id="900453" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>EventLog EVTX File Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+winevt\\+Logs\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.evtx)$</field>
    </rule>
    <rule id="900454" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>Exchange PowerShell Cmdlet History Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:\\+Logging\\+CmdletInfra\\+LocalPowerShell\\+Cmdlet\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)_Cmdlet_</field>
    </rule>
    <rule id="900455" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>IIS WebServer Access Logs Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+inetpub\\+logs\\+LogFiles\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.log)$</field>
    </rule>
    <rule id="900456" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>PowerShell Console History Logs Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+PSReadLine\\+ConsoleHost_history\.txt)$</field>
    </rule>
    <rule id="900457" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>Prefetch File Deleted</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+Windows\\+Prefetch\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.pf)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="900458" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>TeamViewer Log File Deleted</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+TeamViewer_</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.log)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+svchost\.exe</field>
    </rule>
    <rule id="900459" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>Tomcat WebServer Logs Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Tomcat</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+logs\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)catalina\.|_access_log\.|localhost\.</field>
    </rule>
    <rule id="900460" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>File Deleted Via Sysinternals SDelete</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.AAA|\.ZZZ)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+Wireshark\\+radius\\+dictionary\.alcatel\-lucent\.aaa)$</field>
    </rule>
    <rule id="900461" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Unusual File Deletion by Dns.exe</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dns\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+dns\.log)$</field>
    </rule>
    <rule id="900462" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>ADS Zone.Identifier Deleted By Uncommon Application</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::Zone\.Identifier)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
    </rule>
    <rule id="900463" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Suspicious File Event With Teams Objects</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Teams\\+Cookies|\\+Microsoft\\+Teams\\+Local\ Storage\\+leveldb</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Teams\\+current\\+Teams\.exe</field>
    </rule>
    <rule id="900464" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Suspicious Unattend.xml File Access</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+unattend\.xml)$</field>
    </rule>
    <rule id="900465" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1001.003</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>ADSI-Cache File Creation By Uncommon Tool</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Local\\+Microsoft\\+Windows\\+SchCache\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sch)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Cylance\\+Desktop\\+CylanceSvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+CCM\\+CcmExec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+dsac\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+efsui\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+ccmsetup\\+autoupgrade\\+ccmsetup</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+SentinelOne\\+Sentinel\ Agent</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
    </rule>
    <rule id="900466" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1001.003</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>ADSI-Cache File Creation By Uncommon Tool</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Local\\+Microsoft\\+Windows\\+SchCache\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sch)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+LANDesk\\+LDCLient\\+ldapwhoami\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+Receiver\ StoreFront\\+Services\\+DefaultDomainServices\\+Citrix\.DeliveryServices\.DomainServices\.ServiceHost\.exe)$</field>
    </rule>
    <rule id="900467" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>Advanced IP Scanner - File Event</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+Advanced\ IP\ Scanner\ 2</field>
    </rule>
    <rule id="900468" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Anydesk Temporary Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+AnyDesk\\+user\.conf|\\+AppData\\+Roaming\\+AnyDesk\\+system\.conf</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.temp)$</field>
    </rule>
    <rule id="900469" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Suspicious Binary Writes Via AnyDesk</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+anydesk\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+gcapi\.dll)$</field>
    </rule>
    <rule id="900470" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Assembly DLL Creation Via AspNetCompiler</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+aspnet_compiler\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Temporary\ ASP\.NET\ Files\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+assembly\\+tmp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="900471" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>BloodHound Collection Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:BloodHound\.zip|_computers\.json|_containers\.json|_domains\.json|_gpos\.json|_groups\.json|_ous\.json|_users\.json)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+pocket_containers\.json)$</field>
    </rule>
    <rule id="900472" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>EVTX Created In Uncommon Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.evtx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+winevt\\+Logs\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\\+Containers\\+BaseImages\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+winevt\\+Logs\\+)$</field>
    </rule>
    <rule id="900473" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Creation Of Non-Existent System DLL</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+TSMSISrv\.dll|:\\+Windows\\+System32\\+TSVIPSrv\.dll|:\\+Windows\\+System32\\+wbem\\+wbemcomn\.dll|:\\+Windows\\+System32\\+WLBSCTRL\.dll|:\\+Windows\\+System32\\+wow64log\.dll|:\\+Windows\\+System32\\+WptsExtensions\.dll|\\+SprintCSP\.dll)$</field>
    </rule>
    <rule id="900474" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>New Custom Shim Database Created</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+Windows\\+apppatch\\+Custom\\+|:\\+Windows\\+apppatch\\+CustomSDB\\+</field>
    </rule>
    <rule id="900475" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious Screensaver Binary File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Kindle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Bin\\+ccSvcHst\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+uwfservicingscr\.scr)$</field>
    </rule>
    <rule id="900476" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Files With System Process Name In Unsuspected Locations</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AtBroker\.exe|\\+audiodg\.exe|\\+backgroundTaskHost\.exe|\\+bcdedit\.exe|\\+bitsadmin\.exe|\\+cmdl32\.exe|\\+cmstp\.exe|\\+conhost\.exe|\\+csrss\.exe|\\+dasHost\.exe|\\+dfrgui\.exe|\\+dllhost\.exe|\\+dwm\.exe|\\+eventcreate\.exe|\\+eventvwr\.exe|\\+explorer\.exe|\\+extrac32\.exe|\\+fontdrvhost\.exe|\\+ipconfig\.exe|\\+iscsicli\.exe|\\+iscsicpl\.exe|\\+logman\.exe|\\+LogonUI\.exe|\\+LsaIso\.exe|\\+lsass\.exe|\\+lsm\.exe|\\+msiexec\.exe|\\+msinfo32\.exe|\\+mstsc\.exe|\\+nbtstat\.exe|\\+odbcconf\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regini\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+RuntimeBroker\.exe|\\+schtasks\.exe|\\+SearchFilterHost\.exe|\\+SearchIndexer\.exe|\\+SearchProtocolHost\.exe|\\+SecurityHealthService\.exe|\\+SecurityHealthSystray\.exe|\\+services\.exe|\\+ShellAppRuntime\.exe|\\+sihost\.exe|\\+smartscreen\.exe|\\+smss\.exe|\\+spoolsv\.exe|\\+svchost\.exe|\\+SystemSettingsBroker\.exe|\\+taskhost\.exe|\\+taskhostw\.exe|\\+Taskmgr\.exe|\\+TiWorker\.exe|\\+vssadmin\.exe|\\+w32tm\.exe|\\+WerFault\.exe|\\+WerFaultSecure\.exe|\\+wermgr\.exe|\\+wevtutil\.exe|\\+wininit\.exe|\\+winlogon\.exe|\\+winrshost\.exe|\\+WinRTNetMUAHostServer\.exe|\\+wlanext\.exe|\\+wlrmdr\.exe|\\+WmiPrvSE\.exe|\\+wslhost\.exe|\\+WSReset\.exe|\\+WUDFHost\.exe|\\+WWAHost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+SystemRoot\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+\$WinREAgent\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+uus\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+System32\\+wuauclt\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+WINDOWS\\+system32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+SecurityHealth\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+SecurityHealthSystray\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SecurityHealthSetup\.exe)$</field>
    </rule>
    <rule id="900477" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>Creation Exe for Service with Unquoted Path</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+program\.exe</field>
    </rule>
    <rule id="900478" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
        </mitre>
        <description>Cred Dump Tools Dropped Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+fgdump\-log|\\+kirbi|\\+pwdump|\\+pwhashes|\\+wce_ccache|\\+wce_krbtkts</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+cachedump\.exe|\\+cachedump64\.exe|\\+DumpExt\.dll|\\+DumpSvc\.exe|\\+Dumpy\.exe|\\+fgexec\.exe|\\+lsremora\.dll|\\+lsremora64\.dll|\\+NTDS\.out|\\+procdump64\.exe|\\+pstgdump\.exe|\\+pwdump\.exe|\\+SAM\.out|\\+SECURITY\.out|\\+servpw\.exe|\\+servpw64\.exe|\\+SYSTEM\.out|\\+test\.pwd|\\+wceaux\.dll)$</field>
    </rule>
    <rule id="900479" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>WScript or CScript Dropper - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+|C:\\+ProgramData)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.jse|\.vbe|\.js|\.vba|\.vbs)$</field>
    </rule>
    <rule id="900480" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csexec_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>CSExec Service File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+csexecsvc\.exe)$</field>
    </rule>
    <rule id="900481" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic CSharp Compile Artefact</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.cmdline)$</field>
    </rule>
    <rule id="900482" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Potential DCOM InternetExplorer.Application DLL Hijack</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iertutil\.dll)$</field>
    </rule>
    <rule id="900483" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DLL Search Order Hijackig Via Additional Space in Path</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\ \\+|C:\\+Program\ Files\ \\+|C:\\+Program\ Files\ $x86$\ \\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900484" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious DMP/HDMP File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dmp|\.dump|\.hdmp)$</field>
    </rule>
    <rule id="900485" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Attempt Via ErrorHandler.Cmd</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+WINDOWS\\+Setup\\+Scripts\\+ErrorHandler\.cmd)$</field>
    </rule>
    <rule id="900486" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>GoToAssist Temporary Installation Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+LogMeInInc\\+GoToAssist\ Remote\ Support\ Expert\\+</field>
    </rule>
    <rule id="900487" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>CrackMapExec File Indicators</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+temp\.ps1|\\+msol\.ps1)$</field>
    </rule>
    <rule id="900488" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>CrackMapExec File Indicators</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+[a-zA-Z]{8}\.tmp$</field>
    </rule>
    <rule id="900489" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - Dumpert Process Dumper Default File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:dumpert\.dmp)$</field>
    </rule>
    <rule id="900490" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
            <id>cve.2021.36934</id>
        </mitre>
        <description>Typical HiveNightmare SAM File Export</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+hive_sam_|\\+SAM\-2021\-|\\+SAM\-2022\-|\\+SAM\-2023\-|\\+SAM\-haxx|\\+Sam\.save</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+windows\\+temp\\+sam</field>
    </rule>
    <rule id="900491" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Inveigh Execution Artefacts</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Inveigh\-Log\.txt|\\+Inveigh\-Cleartext\.txt|\\+Inveigh\-NTLMv1Users\.txt|\\+Inveigh\-NTLMv2Users\.txt|\\+Inveigh\-NTLMv1\.txt|\\+Inveigh\-NTLMv2\.txt|\\+Inveigh\-FormInput\.txt|\\+Inveigh\.dll|\\+Inveigh\.exe|\\+Inveigh\.ps1|\\+Inveigh\-Relay\.ps1)$</field>
    </rule>
    <rule id="900492" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
        </mitre>
        <description>Mimikatz Kirbi File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.kirbi|mimilsa\.log)$</field>
    </rule>
    <rule id="900493" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
        </mitre>
        <description>NPPSpy Hacktool Usage</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+NPPSpy\.txt|\\+NPPSpy\.dll)$</field>
    </rule>
    <rule id="900494" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.001</id>
        </mitre>
        <description>Powerup Write Hijack DLL</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
    </rule>
    <rule id="900495" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>QuarksPwDump Dump File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+SAM\-</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="900496" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Remote Credential Dumping Activity</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+System32\\+[a-zA-Z0-9]{8}\.tmp$</field>
    </rule>
    <rule id="900497" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>SafetyKatz Default Dump Filename</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Temp\\+debug\.bin)$</field>
    </rule>
    <rule id="900498" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
            <id>attack.t1574</id>
            <id>attack.t1574.001</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Initial Access via DLL Search Order Hijacking</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winword\.exe|\\+excel\.exe|\\+powerpnt\.exe|\\+MSACCESS\.EXE|\\+MSPUB\.EXE|\\+fltldr\.exe|\\+cmd\.exe|\\+certutil\.exe|\\+mshta\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+curl\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+OneDrive\\+|\\+Microsoft\ OneDrive\\+|\\+Microsoft\\+Teams\\+|\\+Local\\+slack\\+app\-|\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+api\-ms\-win\-core\-</field>
    </rule>
    <rule id="900499" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Installation of TeamViewer Desktop</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+TeamViewer_Desktop\.exe)$</field>
    </rule>
    <rule id="900500" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Malicious DLL File Dropped in the Teams or OneDrive Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)iphlpapi\.dll</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft</field>
    </rule>
    <rule id="900501" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO File Created Within Temp Folders</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.zip\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.iso)$</field>
    </rule>
    <rule id="900502" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO File Created Within Temp Folders</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Windows\\+INetCache\\+Content\.Outlook\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.iso)$</field>
    </rule>
    <rule id="900503" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO or Image Mount Indicator in Recent Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.iso\.lnk|\.img\.lnk|\.vhd\.lnk|\.vhdx\.lnk)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Recent\\+</field>
    </rule>
    <rule id="900504" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>GatherNetworkInfo.VBS Reconnaissance Script Output</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+config)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Hotfixinfo\.txt|\\+netiostate\.txt|\\+sysportslog\.txt|\\+VmSwitchLog\.evtx)$</field>
    </rule>
    <rule id="900505" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+lsass\.dmp|\\+lsass\.zip|\\+lsass\.rar|\\+Andrew\.dmp|\\+Coredump\.dmp|\\+NotLSASS\.zip|\\+PPLBlade\.dmp)$</field>
    </rule>
    <rule id="900506" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass_2|\\+lsassdump|\\+lsassdmp</field>
    </rule>
    <rule id="900507" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="900508" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)SQLDmpr</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.mdmp)$</field>
    </rule>
    <rule id="900509" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:nanodump)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dmp)$</field>
    </rule>
    <rule id="900510" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Dump Artefact In CrashDumps Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+config\\+systemprofile\\+AppData\\+Local\\+CrashDumps\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)lsass\.exe\.</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dmp)$</field>
    </rule>
    <rule id="900511" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>WerFault LSASS Process Memory Dump</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+WerFault\.exe</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass|lsass\.exe</field>
    </rule>
    <rule id="900512" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>Adwind RAT / JRAT File Artifact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+Oracle\\+bin\\+java</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.exe</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Retrive</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.vbs</field>
    </rule>
    <rule id="900513" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1195</id>
            <id>attack.t1195.001</id>
        </mitre>
        <description>Octopus Scanner Malware</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Cache134\.dat|\\+AppData\\+Local\\+Microsoft\\+ExplorerSync\.db)$</field>
    </rule>
    <rule id="900514" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
            <id>cve.2022.30190</id>
        </mitre>
        <description>File Creation In Suspicious Directory By Msdt.EXE</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Desktop\\+|\\+Start\ Menu\\+Programs\\+Startup\\+|C:\\+PerfLogs\\+|C:\\+ProgramData\\+|C:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="900515" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious DotNET CLR Usage Log Artifact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+UsageLogs\\+cmstp\.exe\.log|\\+UsageLogs\\+cscript\.exe\.log|\\+UsageLogs\\+mshta\.exe\.log|\\+UsageLogs\\+msxsl\.exe\.log|\\+UsageLogs\\+regsvr32\.exe\.log|\\+UsageLogs\\+rundll32\.exe\.log|\\+UsageLogs\\+svchost\.exe\.log|\\+UsageLogs\\+wscript\.exe\.log|\\+UsageLogs\\+wmic\.exe\.log)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+MsiExec\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\ \-Embedding</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Temp</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)zzzzInvokeManagedCustomActionOutOfProc</field>
    </rule>
    <rule id="900516" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious File Creation In Uncommon AppData Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.cmd|\.cpl|\.dll|\.exe|\.hta|\.iso|\.lnk|\.msi|\.ps1|\.psm1|\.scr|\.vbe|\.vbs)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+LocalLow\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+</field>
    </rule>
    <rule id="900517" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>SCR File Write Event</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+\$WINDOWS\.\~BT\\+NewOS\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+WUDownloadCache\\+</field>
    </rule>
    <rule id="900518" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Notepad++ Plugins</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Notepad\+\+\\+plugins\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Notepad\+\+\\+updater\\+gup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+target\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:Installer\.x64\.exe)$</field>
    </rule>
    <rule id="900519" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Created</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:ntds\.dit)$</field>
    </rule>
    <rule id="900520" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+w3wp\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="900521" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+apache|\\+tomcat|\\+AppData\\+|\\+Temp\\+|\\+Public\\+|\\+PerfLogs\\+</field>
    </rule>
    <rule id="900522" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe|\\+wsl\.exe|\\+wt\.exe)$</field>
    </rule>
    <rule id="900523" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+Temp\\+|\\+Public\\+|\\+PerfLogs\\+</field>
    </rule>
    <rule id="900524" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS Exfiltration Filename Patterns</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+All\.cab|\.ntds\.cleartext)$</field>
    </rule>
    <rule id="900525" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+Startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.wll)$</field>
    </rule>
    <rule id="900526" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Excel\\+Startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xll)$</field>
    </rule>
    <rule id="900527" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)Microsoft\\+Excel\\+XLSTART\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xlam)$</field>
    </rule>
    <rule id="900528" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Addins\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xlam|\.xla|\.ppam)$</field>
    </rule>
    <rule id="900529" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Office Macro File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.docm|\.dotm|\.xlsm|\.xltm|\.potm|\.pptm)$</field>
    </rule>
    <rule id="900530" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>OneNote Attachment File Dropped In Suspicious Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|:\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.one|\.onepkg)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ONENOTE\.EXE)$</field>
    </rule>
    <rule id="900531" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious File Created Via OneNote Application</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe|\\+onenotem\.exe|\\+onenoteim\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+OneNote\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.chm|\.cmd|\.dll|\.exe|\.hta|\.htm|\.html|\.js|\.lnk|\.ps1|\.vbe|\.vbs|\.wsf)$</field>
    </rule>
    <rule id="900532" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>New Outlook Macro Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Outlook\\+VbaProject\.OTM)$</field>
    </rule>
    <rule id="900533" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.003</id>
        </mitre>
        <description>Potential Persistence Via Outlook Form</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+FORMS\\+IPM|\\+Local\ Settings\\+Application\ Data\\+Microsoft\\+Forms</field>
    </rule>
    <rule id="900534" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Suspicious Outlook Macro Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Outlook\\+VbaProject\.OTM)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
    </rule>
    <rule id="900535" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Publisher Attachment File Dropped In Suspicious Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|C:\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.pub)$</field>
    </rule>
    <rule id="900536" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Startup Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.doc|\.docm|\.docx|\.dot|\.dotm|\.rtf)$</field>
    </rule>
    <rule id="900537" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Startup Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Excel\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xls|\.xlsm|\.xlsx|\.xlt|\.xltm)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WINWORD\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+EXCEL\.exe)$</field>
    </rule>
    <rule id="900538" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1204.002</id>
            <id>attack.execution</id>
        </mitre>
        <description>File With Uncommon Extension Created By An Office Application</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+msaccess\.exe|\\+mspub\.exe|\\+powerpnt\.exe|\\+visio\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.cmd|\.com|\.dll|\.exe|\.hta|\.ocx|\.proj|\.ps1|\.scf|\.scr|\.sys|\.vbe|\.vbs|\.wsf|\.wsh)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+assembly\\+tmp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900539" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1204.002</id>
            <id>attack.execution</id>
        </mitre>
        <description>File With Uncommon Extension Created By An Office Application</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+msaccess\.exe|\\+mspub\.exe|\\+powerpnt\.exe|\\+visio\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.cmd|\.com|\.dll|\.exe|\.hta|\.ocx|\.proj|\.ps1|\.scf|\.scr|\.sys|\.vbe|\.vbs|\.wsf|\.wsh)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+WebServiceCache\\+AllUsers</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+webexdelta\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
    </rule>
    <rule id="900540" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Uncommon File Created In Office Startup Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.docb)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.docm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.docx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dotm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.mdb)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.mdw)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.pdf)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.wll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.wwl)$</field>
    </rule>
    <rule id="900541" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Uncommon File Created In Office Startup Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Excel\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xls)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlsm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlsx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlt)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xltm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlw)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
    </rule>
    <rule id="900542" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PCRE.NET Package Temp Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+ba9ea7344a4a5f591d6e5dc32a13494b\\+</field>
    </rule>
    <rule id="900543" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious File Created In PerfLogs</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+PerfLogs\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.7z|\.bat|\.bin|\.chm|\.dll|\.exe|\.hta|\.lnk|\.ps1|\.psm1|\.py|\.scr|\.sys|\.vbe|\.vbs|\.zip)$</field>
    </rule>
    <rule id="900544" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Binary Or Script Dropper Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.chm|\.cmd|\.com|\.dll|\.exe|\.hta|\.jar|\.js|\.ocx|\.scr|\.sys|\.vbe|\.vbs|\.wsf)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
    </rule>
    <rule id="900545" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>PowerShell Script Dropped Via PowerShell.EXE</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.ps1)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)__PSScriptPolicyTest_</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
    </rule>
    <rule id="900546" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - FileCreation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Add\-ConstrainedDelegationBackdoor\.ps1|\\+Add\-Exfiltration\.ps1|\\+Add\-Persistence\.ps1|\\+Add\-RegBackdoor\.ps1|\\+Add\-RemoteRegBackdoor\.ps1|\\+Add\-ScrnSaveBackdoor\.ps1|\\+ADRecon\.ps1|\\+AzureADRecon\.ps1|\\+Check\-VM\.ps1|\\+ConvertTo\-ROT13\.ps1|\\+Copy\-VSS\.ps1|\\+Create\-MultipleSessions\.ps1|\\+DNS_TXT_Pwnage\.ps1|\\+dnscat2\.ps1|\\+Do\-Exfiltration\.ps1|\\+DomainPasswordSpray\.ps1|\\+Download_Execute\.ps1|\\+Download\-Execute\-PS\.ps1|\\+Enable\-DuplicateToken\.ps1|\\+Enabled\-DuplicateToken\.ps1|\\+Execute\-Command\-MSSQL\.ps1|\\+Execute\-DNSTXT\-Code\.ps1|\\+Execute\-OnTime\.ps1|\\+ExetoText\.ps1|\\+Exploit\-Jboss\.ps1|\\+Find\-AVSignature\.ps1|\\+Find\-Fruit\.ps1|\\+Find\-GPOLocation\.ps1|\\+Find\-TrustedDocuments\.ps1|\\+FireBuster\.ps1|\\+FireListener\.ps1|\\+Get\-ApplicationHost\.ps1|\\+Get\-ChromeDump\.ps1|\\+Get\-ClipboardContents\.ps1|\\+Get\-ComputerDetail\.ps1|\\+Get\-FoxDump\.ps1|\\+Get\-GPPAutologon\.ps1|\\+Get\-GPPPassword\.ps1|\\+Get\-IndexedItem\.ps1|\\+Get\-Keystrokes\.ps1|\\+Get\-LSASecret\.ps1|\\+Get\-MicrophoneAudio\.ps1|\\+Get\-PassHashes\.ps1|\\+Get\-PassHints\.ps1|\\+Get\-RegAlwaysInstallElevated\.ps1|\\+Get\-RegAutoLogon\.ps1|\\+Get\-RickAstley\.ps1|\\+Get\-Screenshot\.ps1|\\+Get\-SecurityPackages\.ps1|\\+Get\-ServiceFilePermission\.ps1|\\+Get\-ServicePermission\.ps1|\\+Get\-ServiceUnquoted\.ps1|\\+Get\-SiteListPassword\.ps1|\\+Get\-System\.ps1|\\+Get\-TimedScreenshot\.ps1|\\+Get\-UnattendedInstallFile\.ps1|\\+Get\-Unconstrained\.ps1|\\+Get\-USBKeystrokes\.ps1|\\+Get\-VaultCredential\.ps1|\\+Get\-VulnAutoRun\.ps1|\\+Get\-VulnSchTask\.ps1|\\+Get\-WebConfig\.ps1|\\+Get\-WebCredentials\.ps1|\\+Get\-WLAN\-Keys\.ps1|\\+Gupt\-Backdoor\.ps1|\\+HTTP\-Backdoor\.ps1|\\+HTTP\-Login\.ps1|\\+Install\-ServiceBinary\.ps1|\\+Install\-SSP\.ps1|\\+Invoke\-ACLScanner\.ps1|\\+Invoke\-ADSBackdoor\.ps1|\\+Invoke\-AmsiBypass\.ps1|\\+Invoke\-ARPScan\.ps1|\\+Invoke\-BackdoorLNK\.ps1|\\+Invoke\-BadPotato\.ps1|\\+Invoke\-BetterSafetyKatz\.ps1|\\+Invoke\-BruteForce\.ps1|\\+Invoke\-BypassUAC\.ps1|\\+Invoke\-Carbuncle\.ps1|\\+Invoke\-Certify\.ps1|\\+Invoke\-ConPtyShell\.ps1|\\+Invoke\-CredentialInjection\.ps1|\\+Invoke\-CredentialsPhish\.ps1|\\+Invoke\-DAFT\.ps1|\\+Invoke\-DCSync\.ps1|\\+Invoke\-Decode\.ps1|\\+Invoke\-DinvokeKatz\.ps1|\\+Invoke\-DllInjection\.ps1|\\+Invoke\-DNSUpdate\.ps1|\\+Invoke\-DowngradeAccount\.ps1|\\+Invoke\-EgressCheck\.ps1|\\+Invoke\-Encode\.ps1|\\+Invoke\-EventViewer\.ps1|\\+Invoke\-Eyewitness\.ps1|\\+Invoke\-FakeLogonScreen\.ps1|\\+Invoke\-Farmer\.ps1|\\+Invoke\-Get\-RBCD\-Threaded\.ps1|\\+Invoke\-Gopher\.ps1|\\+Invoke\-Grouper2\.ps1|\\+Invoke\-Grouper3\.ps1|\\+Invoke\-HandleKatz\.ps1|\\+Invoke\-Interceptor\.ps1|\\+Invoke\-Internalmonologue\.ps1|\\+Invoke\-Inveigh\.ps1|\\+Invoke\-InveighRelay\.ps1|\\+Invoke\-JSRatRegsvr\.ps1|\\+Invoke\-JSRatRundll\.ps1|\\+Invoke\-KrbRelay\.ps1|\\+Invoke\-KrbRelayUp\.ps1|\\+Invoke\-LdapSignCheck\.ps1|\\+Invoke\-Lockless\.ps1|\\+Invoke\-MalSCCM\.ps1|\\+Invoke\-Mimikatz\.ps1|\\+Invoke\-MimikatzWDigestDowngrade\.ps1|\\+Invoke\-Mimikittenz\.ps1|\\+Invoke\-MITM6\.ps1|\\+Invoke\-NanoDump\.ps1|\\+Invoke\-NetRipper\.ps1|\\+Invoke\-NetworkRelay\.ps1|\\+Invoke\-NinjaCopy\.ps1|\\+Invoke\-OxidResolver\.ps1|\\+Invoke\-P0wnedshell\.ps1|\\+Invoke\-P0wnedshellx86\.ps1|\\+Invoke\-Paranoia\.ps1|\\+Invoke\-PortScan\.ps1|\\+Invoke\-PoshRatHttp\.ps1|\\+Invoke\-PoshRatHttps\.ps1|\\+Invoke\-PostExfil\.ps1|\\+Invoke\-PowerDump\.ps1|\\+Invoke\-PowerShellIcmp\.ps1|\\+Invoke\-PowerShellTCP\.ps1|\\+Invoke\-PowerShellTcpOneLine\.ps1|\\+Invoke\-PowerShellTcpOneLineBind\.ps1|\\+Invoke\-PowerShellUdp\.ps1|\\+Invoke\-PowerShellUdpOneLine\.ps1|\\+Invoke\-PowerShellWMI\.ps1|\\+Invoke\-PowerThIEf\.ps1|\\+Invoke\-PPLDump\.ps1|\\+Invoke\-Prasadhak\.ps1|\\+Invoke\-PsExec\.ps1|\\+Invoke\-PsGcat\.ps1|\\+Invoke\-PsGcatAgent\.ps1|\\+Invoke\-PSInject\.ps1|\\+Invoke\-PsUaCme\.ps1|\\+Invoke\-ReflectivePEInjection\.ps1|\\+Invoke\-ReverseDNSLookup\.ps1|\\+Invoke\-Rubeus\.ps1|\\+Invoke\-RunAs\.ps1|\\+Invoke\-SafetyKatz\.ps1|\\+Invoke\-SauronEye\.ps1|\\+Invoke\-SCShell\.ps1|\\+Invoke\-Seatbelt\.ps1|\\+Invoke\-ServiceAbuse\.ps1|\\+Invoke\-SessionGopher\.ps1|\\+Invoke\-ShellCode\.ps1|\\+Invoke\-SMBScanner\.ps1|\\+Invoke\-Snaffler\.ps1|\\+Invoke\-Spoolsample\.ps1|\\+Invoke\-SSHCommand\.ps1|\\+Invoke\-SSIDExfil\.ps1|\\+Invoke\-StandIn\.ps1|\\+Invoke\-StickyNotesExtract\.ps1|\\+Invoke\-Tater\.ps1|\\+Invoke\-Thunderfox\.ps1|\\+Invoke\-ThunderStruck\.ps1|\\+Invoke\-TokenManipulation\.ps1|\\+Invoke\-Tokenvator\.ps1|\\+Invoke\-TotalExec\.ps1|\\+Invoke\-UrbanBishop\.ps1|\\+Invoke\-UserHunter\.ps1|\\+Invoke\-VoiceTroll\.ps1|\\+Invoke\-Whisker\.ps1|\\+Invoke\-WinEnum\.ps1|\\+Invoke\-winPEAS\.ps1|\\+Invoke\-WireTap\.ps1|\\+Invoke\-WmiCommand\.ps1|\\+Invoke\-WScriptBypassUAC\.ps1|\\+Invoke\-Zerologon\.ps1|\\+Keylogger\.ps1|\\+MailRaider\.ps1|\\+New\-HoneyHash\.ps1|\\+OfficeMemScraper\.ps1|\\+Offline_Winpwn\.ps1|\\+Out\-CHM\.ps1|\\+Out\-DnsTxt\.ps1|\\+Out\-Excel\.ps1|\\+Out\-HTA\.ps1|\\+Out\-Java\.ps1|\\+Out\-JS\.ps1|\\+Out\-Minidump\.ps1|\\+Out\-RundllCommand\.ps1|\\+Out\-SCF\.ps1|\\+Out\-SCT\.ps1|\\+Out\-Shortcut\.ps1|\\+Out\-WebQuery\.ps1|\\+Out\-Word\.ps1|\\+Parse_Keys\.ps1|\\+Port\-Scan\.ps1|\\+PowerBreach\.ps1|\\+powercat\.ps1|\\+Powermad\.ps1|\\+PowerRunAsSystem\.psm1|\\+PowerSharpPack\.ps1|\\+PowerUp\.ps1|\\+PowerUpSQL\.ps1|\\+PowerView\.ps1|\\+PSAsyncShell\.ps1|\\+RemoteHashRetrieval\.ps1|\\+Remove\-Persistence\.ps1|\\+Remove\-PoshRat\.ps1|\\+Remove\-Update\.ps1|\\+Run\-EXEonRemote\.ps1|\\+Schtasks\-Backdoor\.ps1|\\+Set\-DCShadowPermissions\.ps1|\\+Set\-MacAttribute\.ps1|\\+Set\-RemotePSRemoting\.ps1|\\+Set\-RemoteWMI\.ps1|\\+Set\-Wallpaper\.ps1|\\+Show\-TargetScreen\.ps1|\\+Speak\.ps1|\\+Start\-CaptureServer\.ps1|\\+Start\-WebcamRecorder\.ps1|\\+StringToBase64\.ps1|\\+TexttoExe\.ps1|\\+VolumeShadowCopyTools\.ps1|\\+WinPwn\.ps1|\\+WSUSpendu\.ps1)$</field>
    </rule>
    <rule id="900547" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - FileCreation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)Invoke\-Sharp</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.ps1)$</field>
    </rule>
    <rule id="900548" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>PowerShell Module File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+WindowsPowerShell\\+Modules\\+|\\+PowerShell\\+7\\+Modules\\+</field>
    </rule>
    <rule id="900549" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Suspicious PowerShell Module File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+WindowsPowerShell\\+Modules\\+.+\\+\.ps|\\+WindowsPowerShell\\+Modules\\+.+\\+\.dll)$</field>
    </rule>
    <rule id="900550" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>PowerShell Module File Created By Non-PowerShell Process</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+WindowsPowerShell\\+Modules\\+|\\+PowerShell\\+7\\+Modules\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+poqexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
    </rule>
    <rule id="900551" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Potential Startup Shortcut Persistence Via PowerShell.EXE</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+start\ menu\\+programs\\+startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.lnk)$</field>
    </rule>
    <rule id="900552" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>PSScriptPolicyTest Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)__PSScriptPolicyTest_</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+dsac\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+ServerManager\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
    </rule>
    <rule id="900553" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_config_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>Rclone Config File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+\.config\\+rclone\\+</field>
    </rule>
    <rule id="900554" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>RDP File Creation From Suspicious Application</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+CCleaner\ Browser\\+Application\\+CCleanerBrowser\.exe|\\+chromium\.exe|\\+firefox\.exe|\\+Google\\+Chrome\\+Application\\+chrome\.exe|\\+iexplore\.exe|\\+microsoftedge\.exe|\\+msedge\.exe|\\+Opera\.exe|\\+Vivaldi\.exe|\\+Whale\.exe|\\+Outlook\.exe|\\+RuntimeBroker\.exe|\\+Thunderbird\.exe|\\+Discord\.exe|\\+Keybase\.exe|\\+msteams\.exe|\\+Slack\.exe|\\+teams\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.rdp</field>
    </rule>
    <rule id="900555" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Winnti Dropper Activity</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+gthread\-3\.6\.dll|\\+sigcmm\-2\.4\.dll|\\+Windows\\+Temp\\+tmp\.bat)$</field>
    </rule>
    <rule id="900556" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remcom_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>RemCom Service File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+RemComSvc\.exe)$</field>
    </rule>
    <rule id="900557" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>ScreenConnect Temporary Installation Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Bin\\+ScreenConnect\.</field>
    </rule>
    <rule id="900558" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Temporary File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ScreenConnect\.WindowsClient\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Documents\\+ConnectWiseControl\\+Temp\\+</field>
    </rule>
    <rule id="900559" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Potential RipZip Attack on Startup Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.lnk\.\{0AFACED1\-E828\-11D1\-9187\-B532F1E9575D\}</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
    </rule>
    <rule id="900560" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Potential SAM Database Dump</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Temp\\+sam|\\+sam\.sav|\\+Intel\\+sam|\\+sam\.hive|\\+Perflogs\\+sam|\\+ProgramData\\+sam|\\+Users\\+Public\\+sam|\\+AppData\\+Local\\+sam|\\+AppData\\+Roaming\\+sam|_ShadowSteal\.zip|\\+Documents\\+SAM\.export|:\\+sam)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+hive_sam_|\\+sam\.save|\\+sam\.export|\\+\~reg_sam\.save|\\+sam_backup|\\+sam\.bck|\\+sam\.backup</field>
    </rule>
    <rule id="900561" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Self Extraction Directive File Created In Potentially Suspicious Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+ProgramData\\+|:\\+Temp\\+|:\\+Windows\\+System32\\+Tasks\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sed)$</field>
    </rule>
    <rule id="900562" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Shell/Scripting Application File Write to Suspicious Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+msbuild\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+sh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+PerfLogs\\+|C:\\+Users\\+Public\\+)</field>
    </rule>
    <rule id="900563" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Shell/Scripting Application File Write to Suspicious Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe|\\+forfiles\.exe|\\+mshta\.exe|\\+schtasks\.exe|\\+scriptrunner\.exe|\\+wmic\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+PerfLogs\\+|C:\\+Users\\+Public\\+|C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900564" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Windows Binaries Write Suspicious Extensions</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+smss\.exe|\\+RuntimeBroker\.exe|\\+sihost\.exe|\\+lsass\.exe|\\+csrss\.exe|\\+winlogon\.exe|\\+wininit\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.vbe|\.txt|\.vbs|\.exe|\.ps1|\.hta|\.iso|\.dll)$</field>
    </rule>
    <rule id="900565" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Windows Binaries Write Suspicious Extensions</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+svchost\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.vbe|\.vbs|\.ps1|\.hta|\.iso)$</field>
    </rule>
    <rule id="900566" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Startup Folder File Write</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+StartUp</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+wuauclt\.exe</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WINDOWS\.\~BT\\+NewOS\\+)</field>
    </rule>
    <rule id="900567" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Suspicious Creation with Colorcpl</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+colorcpl\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.icm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.gmmp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.cdmp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.camp)$</field>
    </rule>
    <rule id="900568" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1055</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Created Files by Microsoft Sync Center</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mobsync\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe)$</field>
    </rule>
    <rule id="900569" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1036.005</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Files in Default GPO Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Policies\\+\{31B2F340\-016D\-11D2\-945F\-00C04FB984F9\}\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe)$</field>
    </rule>
    <rule id="900570" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Desktopimgdownldr Target File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Personalization\\+LockScreenImage\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\.jpg</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\.jpeg</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\.png</field>
    </rule>
    <rule id="900571" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>Suspicious desktop.ini Action</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+desktop\.ini)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+JetBrains\\+Toolbox\\+bin\\+7z\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+JetBrains\\+apps\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WINDOWS\.\~BT\\+NewOS\\+)</field>
    </rule>
    <rule id="900572" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Creation TXT File in User Desktop</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Desktop\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.txt)$</field>
    </rule>
    <rule id="900573" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
        </mitre>
        <description>Creation of a Diagcab</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.diagcab)$</field>
    </rule>
    <rule id="900574" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious Double Extension Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.exe|\.iso|\.rar|\.zip)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpg\.|\.pdf\.|\.ppt\.|\.pptx\.|\.xls\.|\.xlsx\.</field>
    </rule>
    <rule id="900575" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious Double Extension Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.rar\.exe|\.zip\.exe)$</field>
    </rule>
    <rule id="900576" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1190</id>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Suspicious MSExchangeMailboxReplication ASPX Write</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MSExchangeMailboxReplication\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.aspx|\.asp)$</field>
    </rule>
    <rule id="900577" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Suspicious Executable File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::\\+\$Recycle\.Bin\.exe|:\\+Documents\ and\ Settings\.exe|:\\+MSOCache\.exe|:\\+PerfLogs\.exe|:\\+Recovery\.exe|\.bat\.exe|\.sys\.exe)$</field>
    </rule>
    <rule id="900578" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious Get-Variable.exe Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:Local\\+Microsoft\\+WindowsApps\\+Get\-Variable\.exe)$</field>
    </rule>
    <rule id="900579" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)::\$index_allocation</field>
    </rule>
    <rule id="900580" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Legitimate Application Dropped Archive</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winword\.exe|\\+excel\.exe|\\+powerpnt\.exe|\\+msaccess\.exe|\\+mspub\.exe|\\+eqnedt32\.exe|\\+visio\.exe|\\+wordpad\.exe|\\+wordview\.exe|\\+certutil\.exe|\\+certoc\.exe|\\+CertReq\.exe|\\+Desktopimgdownldr\.exe|\\+esentutl\.exe|\\+finger\.exe|\\+notepad\.exe|\\+AcroRd32\.exe|\\+RdrCEF\.exe|\\+mshta\.exe|\\+hh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.zip|\.rar|\.7z|\.diagcab|\.appx)$</field>
    </rule>
    <rule id="900581" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Legitimate Application Dropped Executable</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+eqnedt32\.exe|\\+wordpad\.exe|\\+wordview\.exe|\\+certutil\.exe|\\+certoc\.exe|\\+CertReq\.exe|\\+Desktopimgdownldr\.exe|\\+esentutl\.exe|\\+mshta\.exe|\\+AcroRd32\.exe|\\+RdrCEF\.exe|\\+hh\.exe|\\+finger\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.exe|\.dll|\.ocx)$</field>
    </rule>
    <rule id="900582" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Legitimate Application Dropped Script</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+eqnedt32\.exe|\\+wordpad\.exe|\\+wordview\.exe|\\+certutil\.exe|\\+certoc\.exe|\\+CertReq\.exe|\\+Desktopimgdownldr\.exe|\\+esentutl\.exe|\\+mshta\.exe|\\+AcroRd32\.exe|\\+RdrCEF\.exe|\\+hh\.exe|\\+finger\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.ps1|\.bat|\.vbs|\.scf|\.wsf|\.wsh)$</field>
    </rule>
    <rule id="900583" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious LNK Double Extension File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.lnk)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpg\.|\.pdf\.|\.ppt\.|\.pptx\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Windows\\+Recent\\+</field>
    </rule>
    <rule id="900584" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious LNK Double Extension File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.lnk)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpg\.|\.pdf\.|\.ppt\.|\.pptx\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powerpnt\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Office\\+Recent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Excel</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powerpnt\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+PowerPoint</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Word</field>
    </rule>
    <rule id="900585" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Suspicious PFX File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.pfx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Templates\\+Windows\\+Windows_TemporaryKey\.pfx</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+CMake\\+</field>
    </rule>
    <rule id="900586" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.013</id>
        </mitre>
        <description>PowerShell Profile Modification</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.PowerShell_profile\.ps1|\\+PowerShell\\+profile\.ps1|\\+Program\ Files\\+PowerShell\\+7\-preview\\+profile\.ps1|\\+Program\ Files\\+PowerShell\\+7\\+profile\.ps1|\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+profile\.ps1|\\+WindowsPowerShell\\+profile\.ps1)$</field>
    </rule>
    <rule id="900587" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1562.001</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PROCEXP152.sys File Created In TMP</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:PROCEXP152\.sys)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procexp64\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procexp\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procmon64\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procmon\.exe</field>
    </rule>
    <rule id="900588" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious File Creation Activity From Fake Recycle.Bin Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)RECYCLERS\.BIN\\+|RECYCLER\.BIN\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)RECYCLERS\.BIN\\+|RECYCLER\.BIN\\+</field>
    </rule>
    <rule id="900589" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Drop Binaries Into Spool Drivers Color Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+spool\\+drivers\\+color\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe|\.sys)$</field>
    </rule>
    <rule id="900590" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Suspicious Startup Folder Persistence</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.vbs|\.vbe|\.bat|\.ps1|\.hta|\.dll|\.jar|\.msi|\.scr|\.cmd)$</field>
    </rule>
    <rule id="900591" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Interactive PowerShell as SYSTEM</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+config\\+systemprofile\\+AppData\\+Roaming\\+Microsoft\\+Windows\\+PowerShell\\+PSReadLine\\+ConsoleHost_history\.txt|C:\\+Windows\\+System32\\+config\\+systemprofile\\+AppData\\+Local\\+Microsoft\\+Windows\\+PowerShell\\+StartupProfileData\-Interactive</field>
    </rule>
    <rule id="900592" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.execution</id>
            <id>attack.t1053</id>
        </mitre>
        <description>Suspicious Scheduled Task Write to System32 Tasks</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+System32\\+Tasks</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|C:\\+PerfLogs|\\+Windows\\+System32\\+config\\+systemprofile</field>
    </rule>
    <rule id="900593" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>TeamViewer Remote Session</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+TeamViewer\\+RemotePrinting\\+tvprint\.db|\\+TeamViewer\\+TVNetwork\.log)$</field>
    </rule>
    <rule id="900594" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>TeamViewer Remote Session</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+TeamViewer</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)_Logfile\.log</field>
    </rule>
    <rule id="900595" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.013</id>
        </mitre>
        <description>VsCode Powershell Profile Modification</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.VSCode_profile\.ps1)$</field>
    </rule>
    <rule id="900596" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.015</id>
        </mitre>
        <description>Windows Terminal Profile Settings Modification By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Packages\\+Microsoft\.WindowsTerminal_8wekyb3d8bbwe\\+LocalState\\+settings\.json)$</field>
    </rule>
    <rule id="900597" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>WinSxS Executable File Creation By Non-System Process</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Systems32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900598" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>LiveKD Kernel Memory Dump File Created</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Windows\\+livekd\.dmp</field>
    </rule>
    <rule id="900599" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>LiveKD Driver Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+drivers\\+LiveKdD\.SYS</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+livekd\.exe|\\+livek64\.exe)$</field>
    </rule>
    <rule id="900600" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>LiveKD Driver Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+drivers\\+LiveKdD\.SYS</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livek64\.exe)$</field>
    </rule>
    <rule id="900601" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Process Explorer Driver Creation By Non-Sysinternals Binary</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+PROCEXP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sys)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
    </rule>
    <rule id="900602" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Process Monitor Driver Creation By Non-Sysinternals Binary</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+procmon</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sys)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
    </rule>
    <rule id="900603" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PsExec Service File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+PSEXESVC\.exe)$</field>
    </rule>
    <rule id="900604" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1136.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1570</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PSEXEC Remote Execution File Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+PSEXEC\-)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.key)$</field>
    </rule>
    <rule id="900605" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Potential Privilege Escalation Attempt Via .Exe.Local Technique</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+logonUI\.exe\.local|C:\\+Windows\\+System32\\+werFault\.exe\.local|C:\\+Windows\\+System32\\+consent\.exe\.local|C:\\+Windows\\+System32\\+narrator\.exe\.local|C:\\+Windows\\+System32\\+wermgr\.exe\.local)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+comctl32\.dll)$</field>
    </rule>
    <rule id="900606" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Creation Via Taskmgr.EXE</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?::\\+Windows\\+system32\\+taskmgr\.exe|:\\+Windows\\+SysWOW64\\+taskmgr\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.DMP</field>
    </rule>
    <rule id="900607" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Hijack Legit RDP Session to Move Laterally</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+</field>
    </rule>
    <rule id="900608" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Consent and Comctl32 - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+consent\.exe\.@)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+comctl32\.dll)$</field>
    </rule>
    <rule id="900609" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using .NET Code Profiler on MMC</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+pe386\.dll)$</field>
    </rule>
    <rule id="900610" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>UAC Bypass Using EventVwr</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Event\ Viewer\\+RecentViews|\\+Microsoft\\+EventV\~1\\+RecentViews)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="900611" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IDiagnostic Profile - File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DllHost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900612" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IEInstal - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+IEInstal\.exe</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:consent\.exe)$</field>
    </rule>
    <rule id="900613" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using MSConfig Token Modification - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+pkgmgr\.exe)$</field>
    </rule>
    <rule id="900614" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using NTFS Reparse Point - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+api\-ms\-win\-core\-kernel32\-legacy\-l1\.DLL)$</field>
    </rule>
    <rule id="900615" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Abusing Winsat Path Parsing - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+system32\\+winsat\.exe|\\+AppData\\+Local\\+Temp\\+system32\\+winmm\.dll)$</field>
    </rule>
    <rule id="900616" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+OskSupport\.dll)$</field>
    </rule>
    <rule id="900617" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+system32\\+DllHost\.exe</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Media\ Player\\+osk\.exe</field>
    </rule>
    <rule id="900618" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>VHD Image Download Via Browser</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+firefox\.exe|\\+iexplore\.exe|\\+maxthon\.exe|\\+MicrosoftEdge\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+opera\.exe|\\+safari\.exe|\\+seamonkey\.exe|\\+vivaldi\.exe|\\+whale\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.vhd</field>
    </rule>
    <rule id="900619" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Visual Studio Code Tunnel Remote File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+server\\+node\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+\.vscode\-server\\+data\\+User\\+History\\+</field>
    </rule>
    <rule id="900620" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Renamed VsCode Code Tunnel Execution - File Indicator</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+code_tunnel\.json)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\-tunnel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\.exe)$</field>
    </rule>
    <rule id="900621" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Potential Webshell Creation On Static Website</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+inetpub\\+wwwroot\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.ashx|\.asp|\.ph|\.soap</field>
    </rule>
    <rule id="900622" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Potential Webshell Creation On Static Website</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+www\\+|\\+htdocs\\+|\\+html\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.ph</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+xampp</field>
    </rule>
    <rule id="900623" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.001</id>
        </mitre>
        <description>Creation of an WerFault.exe in Unusual Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+WerFault\.exe|\\+wer\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+WinSxS\\+</field>
    </rule>
    <rule id="900624" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:WsmPty\.xsl|WsmTxt\.xsl)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="900625" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Wmiexec Default Output File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+__1\d{9}\.\d{1,7}$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+__1\d{9}\.\d{1,7}$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)D:\\+__1\d{9}\.\d{1,7}$</field>
    </rule>
    <rule id="900626" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Wmiprvse Wbemcomn DLL Hijack - File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+wbem\\+wbemcomn\.dll)$</field>
    </rule>
    <rule id="900627" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1546.003</id>
            <id>attack.persistence</id>
        </mitre>
        <description>WMI Persistence - Script Event Consumer File Write</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+wbem\\+scrcons\.exe</field>
    </rule>
    <rule id="900628" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1542.001</id>
        </mitre>
        <description>UEFI Persistence Via Wpbbin - FileCreation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+wpbbin\.exe</field>
    </rule>
    <rule id="900629" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Writing Local Admin Share</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+127\.0\.0</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+ADMIN\$\\+</field>
    </rule>
    <rule id="900630" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Self Extraction Directive File Created</description>
        <options>no_full_log</options>
        <group>windows,file_executable_detected,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sed)$</field>
    </rule>
    <rule id="900631" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Appended Extension</description>
        <options>no_full_log</options>
        <group>windows,file_rename,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.doc|\.docx|\.jpeg|\.jpg|\.lnk|\.pdf|\.png|\.pst|\.rtf|\.xls|\.xlsx)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpeg\.|\.jpg\.|\.lnk\.|\.pdf\.|\.png\.|\.pst\.|\.rtf\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.backup)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.bak)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.old)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.orig)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.temp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
    </rule>
    <rule id="900632" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Appended Extension</description>
        <options>no_full_log</options>
        <group>windows,file_rename,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.doc|\.docx|\.jpeg|\.jpg|\.lnk|\.pdf|\.png|\.pst|\.rtf|\.xls|\.xlsx)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpeg\.|\.jpg\.|\.lnk\.|\.pdf\.|\.png\.|\.pst\.|\.rtf\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Anaconda3\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.c\~)$</field>
    </rule>
    <rule id="900633" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.003</id>
        </mitre>
        <description>DLL Loaded From Suspicious Location Via Cmspt.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+PerfLogs\\+|\\+ProgramData\\+|\\+Users\\+|\\+Windows\\+Temp\\+|C:\\+Temp\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\.dll|\.ocx)$</field>
    </rule>
    <rule id="900634" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Amsi.DLL Loaded Via LOLBIN Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+amsi\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ExtExport\.exe|\\+odbcconf\.exe|\\+regsvr32\.exe|\\+rundll32\.exe)$</field>
    </rule>
    <rule id="900635" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Azure Browser SSO Abuse</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+MicrosoftAccountTokenProvider\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+BackgroundTaskHost\.exe)$</field>
    </rule>
    <rule id="900636" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Azure Browser SSO Abuse</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+MicrosoftAccountTokenProvider\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+IDE\\+devenv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+OneDrive\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900637" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Renamed Comsvcs DLL Loaded By Rundll32</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=eed93054cb555f3de70eaa9787f32ebb|IMPHASH=5e0dbdec1fce52daae251a110b4f309d|IMPHASH=eadbccbb324829acb5f2bbe87e5549a8|IMPHASH=407ca0f7b523319d758a40d7c0193699|IMPHASH=281d618f4e6271e527e6386ea6f748de</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+comsvcs\.dll)$</field>
    </rule>
    <rule id="900638" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.collection</id>
            <id>attack.t1056.002</id>
        </mitre>
        <description>CredUI.DLL Loaded By Uncommon Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+credui\.dll|\\+wincredui\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)credui\.dll|wincredui\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+regedit\.exe</field>
    </rule>
    <rule id="900639" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.collection</id>
            <id>attack.t1056.002</id>
        </mitre>
        <description>CredUI.DLL Loaded By Uncommon Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+credui\.dll|\\+wincredui\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)credui\.dll|wincredui\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera_autoupdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Teams\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
    </rule>
    <rule id="900640" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbghelp\.dll|\\+dbgcore\.dll)$</field>
        <field name="win.eventdata.signed" negate="no" type="pcre2">(?i)false</field>
    </rule>
    <rule id="900641" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PCRE.NET Package Image Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+ba9ea7344a4a5f591d6e5dc32a13494b\\+</field>
    </rule>
    <rule id="900642" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1486</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Load Of RstrtMgr.DLL By A Suspicious Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RstrtMgr\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RstrtMgr\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="900643" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1486</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Load Of RstrtMgr.DLL By A Suspicious Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RstrtMgr\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RstrtMgr\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="900644" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1486</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Load Of RstrtMgr.DLL By An Uncommon Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RstrtMgr\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RstrtMgr\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$WinREAgent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysNative\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+WUDownloadCache\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+is\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\.tmp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900645" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
            <id>cve.2022.30190</id>
        </mitre>
        <description>Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+sdiageng\.dll)$</field>
    </rule>
    <rule id="900646" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1059.001</id>
            <id>attack.execution</id>
        </mitre>
        <description>PowerShell Core DLL Loaded By Non PowerShell Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)System\.Management\.Automation</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)System\.Management\.Automation\.dll</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+System\.Management\.Automation\.dll|\\+System\.Management\.Automation\.ni\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+dsac\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+System32\\+RemoteFXvGPUDisablement\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+runscripthelper\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+ServerManager\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+SyncAppvPublishingServer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+winrshost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+winrshost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mscorsvw\.exe)$</field>
    </rule>
    <rule id="900647" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1059.001</id>
            <id>attack.execution</id>
        </mitre>
        <description>PowerShell Core DLL Loaded By Non PowerShell Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)System\.Management\.Automation</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)System\.Management\.Automation\.dll</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+System\.Management\.Automation\.dll|\\+System\.Management\.Automation\.ni\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ SQL\ Server\ Management\ Studio</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ SQL\ Server\ Management\ Studio</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+IDE\\+Ssms\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ SQL\ Server\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ SQL\ Server\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Tools\\+Binn\\+SQLPS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Citrix\\+ConfigSync\\+ConfigSyncRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+chocolatey\\+choco\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900648" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1218</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Time Travel Debugging Utility Usage - Image</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ttdrecord\.dll|\\+ttdwriter\.dll|\\+ttdloader\.dll)$</field>
    </rule>
    <rule id="900649" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Suspicious Volume Shadow Copy Vssapi.dll Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vssapi\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+\{)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Package\ Cache\\+)</field>
    </rule>
    <rule id="900650" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Suspicious Volume Shadow Copy Vsstrace.dll Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vsstrace\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+\{)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900651" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Suspicious Volume Shadow Copy VSS_PS.dll Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vss_ps\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+clussvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dismhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+inetsrv\\+appcmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+inetsrv\\+iissetup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+searchindexer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+srtasks\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+System32\\+SystemPropertiesAdvanced\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+taskhostw\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+tiworker\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vssvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WinREAgent\\+Scratch\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+dismhost\.exe\ \{</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900652" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_sharpevtmute.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SharpEvtMute DLL Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=330768A4F172E10ACB6287B87289D83B</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)330768a4f172e10acb6287b87289d83b</field>
    </rule>
    <rule id="900653" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071</id>
        </mitre>
        <description>HackTool - SILENTTRINITY Stager DLL Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)st2stager</field>
    </rule>
    <rule id="900654" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Potential DCOM InternetExplorer.Application DLL Hijack - Image Load</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iertutil\.dll)$</field>
    </rule>
    <rule id="900655" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Unsigned Image Loaded Into LSASS Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.signed" negate="no" type="pcre2">(?i)false</field>
    </rule>
    <rule id="900656" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>DotNET Assembly DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+assembly\\+)</field>
    </rule>
    <rule id="900657" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>CLR DLL Loaded Via Office Applications</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+outlook\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+clr\.dll</field>
    </rule>
    <rule id="900658" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>GAC DLL Loaded Via Office Applications</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+assembly\\+GAC_MSIL)</field>
    </rule>
    <rule id="900659" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dsparse_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Active Directory Parsing DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+dsparse\.dll</field>
    </rule>
    <rule id="900660" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Microsoft Excel Add-In Loaded From Uncommon Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Desktop\\+|\\+Downloads\\+|\\+Perflogs\\+|\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Tasks\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\.xll)$</field>
    </rule>
    <rule id="900661" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_kerberos_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Active Directory Kerberos DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+kerberos\.dll)$</field>
    </rule>
    <rule id="900662" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Microsoft VBA For Outlook Addin Loaded Via Outlook</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+outlvba\.dll)$</field>
    </rule>
    <rule id="900663" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_powershell_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>PowerShell Core DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+outlook\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+System\.Management\.Automation\.Dll|\\+System\.Management\.Automation\.ni\.Dll</field>
    </rule>
    <rule id="900664" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_vbadll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>VBA DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+VBE7\.DLL|\\+VBEUI\.DLL|\\+VBE7INTL\.DLL)$</field>
    </rule>
    <rule id="900665" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Remote DLL Load Via Rundll32.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:\\+)</field>
    </rule>
    <rule id="900666" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+scrcons\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vbscript\.dll|\\+wbemdisp\.dll|\\+wshom\.ocx|\\+scrrun\.dll)$</field>
    </rule>
    <rule id="900667" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_7za.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential 7za.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+7za\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
    </rule>
    <rule id="900668" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Abusable DLL Potential Sideloading From Suspicious Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+coreclr\.dll|\\+facesdk\.dll|\\+HPCustPartUI\.dll|\\+libcef\.dll|\\+ZIPDLL\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+Temporary\ Internet|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900669" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Abusable DLL Potential Sideloading From Suspicious Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+coreclr\.dll|\\+facesdk\.dll|\\+HPCustPartUI\.dll|\\+libcef\.dll|\\+ZIPDLL\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="900670" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Bitdefender\ Antivirus\ Free\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Bitdefender\ Antivirus\ Free\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Dell\\+SARemediation\\+audit\\+TelemetryUtility\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Dell\\+SARemediation\\+plugin\\+log\.dll</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Dell\\+SARemediation\\+audit\\+log\.dll</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Canon\\+MyPrinter\\+)</field>
    </rule>
    <rule id="900671" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+F\-Secure\\+Anti\-Virus\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+F\-Secure\\+Anti\-Virus\\+)</field>
    </rule>
    <rule id="900672" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+F\-Secure\\+Anti\-Virus\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+F\-Secure\\+Anti\-Virus\\+)</field>
    </rule>
    <rule id="900673" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+McAfee\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+McAfee\\+)</field>
    </rule>
    <rule id="900674" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+CyberArk\\+Endpoint\ Privilege\ Manager\\+Agent\\+x32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+CyberArk\\+Endpoint\ Privilege\ Manager\\+Agent\\+x32\\+)</field>
    </rule>
    <rule id="900675" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+wsc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\\+AVAST\ Software\\+Avast\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\ $x86$\\+AVAST\ Software\\+Avast\\+)</field>
    </rule>
    <rule id="900676" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+wsc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+tmdbglog\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\\+Trend\ Micro\\+Titanium\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\ $x86$\\+Trend\ Micro\\+Titanium\\+)</field>
    </rule>
    <rule id="900677" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+wsc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+tmdbglog\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+DLPPREM32\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\\+ESET)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\ $x86$\\+ESET)</field>
    </rule>
    <rule id="900678" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_appverifui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential appverifUI.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+appverifUI\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+appverif\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+appverif\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900679" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Aruba Network Service Potential DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+arubanetsvc\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wtsapi32\.dll|\\+msvcr100\.dll|\\+msvcp100\.dll|\\+dbghelp\.dll|\\+dbgcore\.dll|\\+wininet\.dll|\\+iphlpapi\.dll|\\+version\.dll|\\+cryptsp\.dll|\\+cryptbase\.dll|\\+wldp\.dll|\\+profapi\.dll|\\+sspicli\.dll|\\+winsta\.dll|\\+dpapi\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900680" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_avkkid.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential AVKkid.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+AVKkid\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+G\ DATA\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+G\ DATA\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AVKKid\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+G\ DATA\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+G\ DATA\\+)</field>
    </rule>
    <rule id="900681" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_du.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential CCleanerDU.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+CCleanerDU\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CCleaner\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CCleaner64\.exe)$</field>
    </rule>
    <rule id="900682" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential CCleanerReactivator.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+CCleanerReactivator\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CCleanerReactivator\.exe)$</field>
    </rule>
    <rule id="900683" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Chrome Frame Helper DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+chrome_frame_helper\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+)</field>
    </rule>
    <rule id="900684" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Chrome Frame Helper DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+chrome_frame_helper\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+local\\+Google\\+Chrome\\+Application\\+</field>
    </rule>
    <rule id="900685" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via ClassicExplorer32.dll</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ClassicExplorer32\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Classic\ Shell\\+)</field>
    </rule>
    <rule id="900686" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via comctl32.dll</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+logonUI\.exe\.local\\+|C:\\+Windows\\+System32\\+werFault\.exe\.local\\+|C:\\+Windows\\+System32\\+consent\.exe\.local\\+|C:\\+Windows\\+System32\\+narrator\.exe\.local\\+|C:\\+windows\\+system32\\+wermgr\.exe\.local\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+comctl32\.dll)$</field>
    </rule>
    <rule id="900687" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_coregen.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Potential DLL Sideloading Using Coregen.exe</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+coregen\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Silverlight\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Silverlight\\+)</field>
    </rule>
    <rule id="900688" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>System Control Panel Item Loaded From Uncommon Location</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+hdwwiz\.cpl|\\+appwiz\.cpl)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
    </rule>
    <rule id="900689" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGCORE.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbgcore\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SoftwareDistribution\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SystemTemp\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900690" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGCORE.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbgcore\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Steam\\+bin\\+cef\\+cef\.win7x64\\+dbgcore\.dll)$</field>
    </rule>
    <rule id="900691" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGHELP.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SoftwareDistribution\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SystemTemp\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900692" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGHELP.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Anaconda3\\+Lib\\+site\-packages\\+vtrace\\+platforms\\+windll\\+amd64\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Anaconda3\\+Lib\\+site\-packages\\+vtrace\\+platforms\\+windll\\+i386\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Epic\ Games\\+Launcher\\+Engine\\+Binaries\\+ThirdParty\\+DbgHelp\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Epic\ Games\\+MagicLegends\\+x86\\+dbghelp\.dll)$</field>
    </rule>
    <rule id="900693" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_eacore.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential EACore.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+EACore\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Electronic\ Arts\\+EA\ Desktop\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+EACoreServer\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Electronic\ Arts\\+EA\ Desktop\\+)</field>
    </rule>
    <rule id="900694" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_edputil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Edputil.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+edputil\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900695" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential System DLL Sideloading From Non System Locations</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+shfolder\.dll|\\+activeds\.dll|\\+adsldpc\.dll|\\+aepic\.dll|\\+apphelp\.dll|\\+applicationframe\.dll|\\+appxalluserstore\.dll|\\+appxdeploymentclient\.dll|\\+archiveint\.dll|\\+atl\.dll|\\+audioses\.dll|\\+auditpolcore\.dll|\\+authfwcfg\.dll|\\+authz\.dll|\\+avrt\.dll|\\+bcd\.dll|\\+bcp47langs\.dll|\\+bcp47mrm\.dll|\\+bcrypt\.dll|\\+cabinet\.dll|\\+cabview\.dll|\\+certenroll\.dll|\\+cldapi\.dll|\\+clipc\.dll|\\+clusapi\.dll|\\+cmpbk32\.dll|\\+coloradapterclient\.dll|\\+colorui\.dll|\\+comdlg32\.dll|\\+connect\.dll|\\+coremessaging\.dll|\\+credui\.dll|\\+cryptbase\.dll|\\+cryptdll\.dll|\\+cryptui\.dll|\\+cryptxml\.dll|\\+cscapi\.dll|\\+cscobj\.dll|\\+cscui\.dll|\\+d2d1\.dll|\\+d3d10\.dll|\\+d3d10_1\.dll|\\+d3d10_1core\.dll|\\+d3d10core\.dll|\\+d3d10warp\.dll|\\+d3d11\.dll|\\+d3d12\.dll|\\+d3d9\.dll|\\+dataexchange\.dll|\\+davclnt\.dll|\\+dcomp\.dll|\\+defragproxy\.dll|\\+desktopshellext\.dll|\\+deviceassociation\.dll|\\+devicecredential\.dll|\\+devicepairing\.dll|\\+devobj\.dll|\\+devrtl\.dll|\\+dhcpcmonitor\.dll|\\+dhcpcsvc\.dll|\\+dhcpcsvc6\.dll|\\+directmanipulation\.dll|\\+dismapi\.dll|\\+dismcore\.dll|\\+dmcfgutils\.dll|\\+dmcmnutils\.dll|\\+dmenrollengine\.dll|\\+dmenterprisediagnostics\.dll|\\+dmiso8601utils\.dll|\\+dmoleaututils\.dll|\\+dmprocessxmlfiltered\.dll|\\+dmpushproxy\.dll|\\+dmxmlhelputils\.dll|\\+dnsapi\.dll|\\+dot3api\.dll|\\+dot3cfg\.dll|\\+drprov\.dll|\\+dsclient\.dll|\\+dsparse\.dll|\\+dsreg\.dll|\\+dsrole\.dll|\\+dui70\.dll|\\+duser\.dll|\\+dusmapi\.dll|\\+dwmapi\.dll|\\+dwrite\.dll|\\+dxgi\.dll|\\+dxva2\.dll|\\+eappcfg\.dll|\\+eappprxy\.dll|\\+edputil\.dll|\\+efsadu\.dll|\\+efsutil\.dll|\\+esent\.dll|\\+execmodelproxy\.dll|\\+explorerframe\.dll|\\+fastprox\.dll|\\+faultrep\.dll|\\+fddevquery\.dll|\\+feclient\.dll|\\+fhcfg\.dll|\\+firewallapi\.dll|\\+flightsettings\.dll|\\+fltlib\.dll|\\+fveapi\.dll|\\+fwbase\.dll|\\+fwcfg\.dll|\\+fwpolicyiomgr\.dll|\\+fwpuclnt\.dll|\\+getuname\.dll|\\+hid\.dll|\\+hnetmon\.dll|\\+httpapi\.dll|\\+idstore\.dll|\\+ieadvpack\.dll|\\+iedkcs32\.dll|\\+iernonce\.dll|\\+iertutil\.dll|\\+ifmon\.dll|\\+iphlpapi\.dll|\\+iri\.dll|\\+iscsidsc\.dll|\\+iscsium\.dll|\\+isv\.exe_rsaenh\.dll|\\+joinutil\.dll|\\+ksuser\.dll|\\+ktmw32\.dll|\\+licensemanagerapi\.dll|\\+licensingdiagspp\.dll|\\+linkinfo\.dll|\\+loadperf\.dll|\\+logoncli\.dll|\\+logoncontroller\.dll|\\+lpksetupproxyserv\.dll|\\+magnification\.dll|\\+mapistub\.dll|\\+mfcore\.dll|\\+mfplat\.dll|\\+mi\.dll|\\+midimap\.dll|\\+miutils\.dll|\\+mlang\.dll|\\+mmdevapi\.dll|\\+mobilenetworking\.dll|\\+mpr\.dll|\\+mprapi\.dll|\\+mrmcorer\.dll|\\+msacm32\.dll|\\+mscms\.dll|\\+mscoree\.dll|\\+msctf\.dll|\\+msctfmonitor\.dll|\\+msdrm\.dll|\\+msftedit\.dll|\\+msi\.dll|\\+msutb\.dll|\\+mswb7\.dll|\\+mswsock\.dll|\\+msxml3\.dll|\\+mtxclu\.dll|\\+napinsp\.dll|\\+ncrypt\.dll|\\+ndfapi\.dll|\\+netid\.dll|\\+netiohlp\.dll|\\+netplwiz\.dll|\\+netprofm\.dll|\\+netsetupapi\.dll|\\+netshell\.dll|\\+netutils\.dll|\\+networkexplorer\.dll|\\+newdev\.dll|\\+ninput\.dll|\\+nlaapi\.dll|\\+nlansp_c\.dll|\\+npmproxy\.dll|\\+nshhttp\.dll|\\+nshipsec\.dll|\\+nshwfp\.dll|\\+ntdsapi\.dll|\\+ntlanman\.dll|\\+ntlmshared\.dll|\\+ntmarta\.dll|\\+ntshrui\.dll|\\+oleacc\.dll|\\+omadmapi\.dll|\\+onex\.dll|\\+osbaseln\.dll|\\+osuninst\.dll|\\+p2p\.dll|\\+p2pnetsh\.dll|\\+p9np\.dll|\\+pcaui\.dll|\\+pdh\.dll|\\+peerdistsh\.dll|\\+pla\.dll|\\+pnrpnsp\.dll|\\+policymanager\.dll|\\+polstore\.dll|\\+printui\.dll|\\+propsys\.dll|\\+prvdmofcomp\.dll|\\+puiapi\.dll|\\+radcui\.dll|\\+rasapi32\.dll|\\+rasgcw\.dll|\\+rasman\.dll|\\+rasmontr\.dll|\\+reagent\.dll|\\+regapi\.dll|\\+resutils\.dll|\\+rmclient\.dll|\\+rpcnsh\.dll|\\+rsaenh\.dll|\\+rtutils\.dll|\\+rtworkq\.dll|\\+samcli\.dll|\\+samlib\.dll|\\+sapi_onecore\.dll|\\+sas\.dll|\\+scansetting\.dll|\\+scecli\.dll|\\+schedcli\.dll|\\+secur32\.dll|\\+shell32\.dll|\\+slc\.dll|\\+snmpapi\.dll|\\+spp\.dll|\\+sppc\.dll|\\+srclient\.dll|\\+srpapi\.dll|\\+srvcli\.dll|\\+ssp\.exe_rsaenh\.dll|\\+ssp_isv\.exe_rsaenh\.dll|\\+sspicli\.dll|\\+ssshim\.dll|\\+staterepository\.core\.dll|\\+structuredquery\.dll|\\+sxshared\.dll|\\+tapi32\.dll|\\+tbs\.dll|\\+tdh\.dll|\\+tquery\.dll|\\+tsworkspace\.dll|\\+ttdrecord\.dll|\\+twext\.dll|\\+twinapi\.dll|\\+twinui\.appcore\.dll|\\+uianimation\.dll|\\+uiautomationcore\.dll|\\+uireng\.dll|\\+uiribbon\.dll|\\+updatepolicy\.dll|\\+userenv\.dll|\\+utildll\.dll|\\+uxinit\.dll|\\+uxtheme\.dll|\\+vaultcli\.dll|\\+virtdisk\.dll|\\+vssapi\.dll|\\+vsstrace\.dll|\\+wbemprox\.dll|\\+wbemsvc\.dll|\\+wcmapi\.dll|\\+wcnnetsh\.dll|\\+wdi\.dll|\\+wdscore\.dll|\\+webservices\.dll|\\+wecapi\.dll|\\+wer\.dll|\\+wevtapi\.dll|\\+whhelper\.dll|\\+wimgapi\.dll|\\+winbrand\.dll|\\+windows\.storage\.dll|\\+windows\.storage\.search\.dll|\\+windowscodecs\.dll|\\+windowscodecsext\.dll|\\+windowsudk\.shellcommon\.dll|\\+winhttp\.dll|\\+wininet\.dll|\\+winipsec\.dll|\\+winmde\.dll|\\+winmm\.dll|\\+winnsi\.dll|\\+winrnr\.dll|\\+winsqlite3\.dll|\\+winsta\.dll|\\+wkscli\.dll|\\+wlanapi\.dll|\\+wlancfg\.dll|\\+wldp\.dll|\\+wlidprov\.dll|\\+wmiclnt\.dll|\\+wmidcom\.dll|\\+wmiutils\.dll|\\+wmsgapi\.dll|\\+wofutil\.dll|\\+wpdshext\.dll|\\+wshbth\.dll|\\+wshelper\.dll|\\+wtsapi32\.dll|\\+wwapi\.dll|\\+xmllite\.dll|\\+xolehlp\.dll|\\+xwizards\.dll|\\+xwtpw32\.dll|\\+aclui\.dll|\\+bderepair\.dll|\\+bootmenuux\.dll|\\+dcntel\.dll|\\+dwmcore\.dll|\\+dynamoapi\.dll|\\+fhsvcctl\.dll|\\+fxsst\.dll|\\+inproclogger\.dll|\\+iumbase\.dll|\\+kdstub\.dll|\\+maintenanceui\.dll|\\+mdmdiagnostics\.dll|\\+mintdh\.dll|\\+msdtctm\.dll|\\+nettrace\.dll|\\+osksupport\.dll|\\+reseteng\.dll|\\+resetengine\.dll|\\+spectrumsyncclient\.dll|\\+srcore\.dll|\\+systemsettingsthresholdadminflowui\.dll|\\+timesync\.dll|\\+upshared\.dll|\\+wmpdui\.dll|\\+wwancfg\.dll|\\+dpx\.dll|\\+fxsapi\.dll|\\+fxstiff\.dll|\\+xpsservices\.dll|\\+appvpolicy\.dll|\\+batmeter\.dll|\\+bootux\.dll|\\+cmutil\.dll|\\+configmanager2\.dll|\\+coredplus\.dll|\\+coreuicomponents\.dll|\\+cryptsp\.dll|\\+dmcommandlineutils\.dll|\\+drvstore\.dll|\\+dsprop\.dll|\\+dxcore\.dll|\\+edgeiso\.dll|\\+framedynos\.dll|\\+fveskybackup\.dll|\\+fvewiz\.dll|\\+gpapi\.dll|\\+icmp\.dll|\\+ifsutil\.dll|\\+iumsdk\.dll|\\+lockhostingframework\.dll|\\+lrwizdll\.dll|\\+mbaexmlparser\.dll|\\+mfc42u\.dll|\\+msiso\.dll|\\+msvcp110_win\.dll|\\+netapi32\.dll|\\+netjoin\.dll|\\+netprovfw\.dll|\\+opcservices\.dll|\\+pkeyhelper\.dll|\\+playsndsrv\.dll|\\+powrprof\.dll|\\+prntvpt\.dll|\\+profapi\.dll|\\+proximitycommon\.dll|\\+proximityservicepal\.dll|\\+rasdlg\.dll|\\+security\.dll|\\+sppcext\.dll|\\+srmtrace\.dll|\\+tpmcoreprovisioning\.dll|\\+umpdc\.dll|\\+unattend\.dll|\\+urlmon\.dll|\\+vdsutil\.dll|\\+version\.dll|\\+winbio\.dll|\\+windows\.ui\.immersive\.dll|\\+winscard\.dll|\\+winsync\.dll|\\+wscapi\.dll|\\+wsmsvc\.dll|\\+FxsCompose\.dll|\\+WfsR\.dll|\\+rpchttp\.dll|\\+storageusage\.dll|\\+amsi\.dll|\\+PrintIsolationProxy\.dll|\\+msdtcVSp1res\.dll|\\+rdpendp\.dll|\\+dxilconv\.dll|\\+utcutil\.dll|\\+appraiser\.dll|\\+dsound\.dll|\\+DispBroker\.dll|\\+FXSRESM\.DLL|\\+cryptnet\.dll|\\+COMRES\.DLL|\\+igdumdim64\.dll|\\+igd10iumd64\.dll|\\+igd12umd64\.dll|\\+igdusc64\.dll|\\+WLBSCTRL\.dll|\\+TSMSISrv\.dll|\\+TSVIPSrv\.dll|\\+wow64log\.dll|\\+WptsExtensions\.dll|\\+wbemcomn\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+\$WinREAgent\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SystemTemp\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+cscui\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+version\.dll)$</field>
    </rule>
    <rule id="900696" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential System DLL Sideloading From Non System Locations</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+shfolder\.dll|\\+activeds\.dll|\\+adsldpc\.dll|\\+aepic\.dll|\\+apphelp\.dll|\\+applicationframe\.dll|\\+appxalluserstore\.dll|\\+appxdeploymentclient\.dll|\\+archiveint\.dll|\\+atl\.dll|\\+audioses\.dll|\\+auditpolcore\.dll|\\+authfwcfg\.dll|\\+authz\.dll|\\+avrt\.dll|\\+bcd\.dll|\\+bcp47langs\.dll|\\+bcp47mrm\.dll|\\+bcrypt\.dll|\\+cabinet\.dll|\\+cabview\.dll|\\+certenroll\.dll|\\+cldapi\.dll|\\+clipc\.dll|\\+clusapi\.dll|\\+cmpbk32\.dll|\\+coloradapterclient\.dll|\\+colorui\.dll|\\+comdlg32\.dll|\\+connect\.dll|\\+coremessaging\.dll|\\+credui\.dll|\\+cryptbase\.dll|\\+cryptdll\.dll|\\+cryptui\.dll|\\+cryptxml\.dll|\\+cscapi\.dll|\\+cscobj\.dll|\\+cscui\.dll|\\+d2d1\.dll|\\+d3d10\.dll|\\+d3d10_1\.dll|\\+d3d10_1core\.dll|\\+d3d10core\.dll|\\+d3d10warp\.dll|\\+d3d11\.dll|\\+d3d12\.dll|\\+d3d9\.dll|\\+dataexchange\.dll|\\+davclnt\.dll|\\+dcomp\.dll|\\+defragproxy\.dll|\\+desktopshellext\.dll|\\+deviceassociation\.dll|\\+devicecredential\.dll|\\+devicepairing\.dll|\\+devobj\.dll|\\+devrtl\.dll|\\+dhcpcmonitor\.dll|\\+dhcpcsvc\.dll|\\+dhcpcsvc6\.dll|\\+directmanipulation\.dll|\\+dismapi\.dll|\\+dismcore\.dll|\\+dmcfgutils\.dll|\\+dmcmnutils\.dll|\\+dmenrollengine\.dll|\\+dmenterprisediagnostics\.dll|\\+dmiso8601utils\.dll|\\+dmoleaututils\.dll|\\+dmprocessxmlfiltered\.dll|\\+dmpushproxy\.dll|\\+dmxmlhelputils\.dll|\\+dnsapi\.dll|\\+dot3api\.dll|\\+dot3cfg\.dll|\\+drprov\.dll|\\+dsclient\.dll|\\+dsparse\.dll|\\+dsreg\.dll|\\+dsrole\.dll|\\+dui70\.dll|\\+duser\.dll|\\+dusmapi\.dll|\\+dwmapi\.dll|\\+dwrite\.dll|\\+dxgi\.dll|\\+dxva2\.dll|\\+eappcfg\.dll|\\+eappprxy\.dll|\\+edputil\.dll|\\+efsadu\.dll|\\+efsutil\.dll|\\+esent\.dll|\\+execmodelproxy\.dll|\\+explorerframe\.dll|\\+fastprox\.dll|\\+faultrep\.dll|\\+fddevquery\.dll|\\+feclient\.dll|\\+fhcfg\.dll|\\+firewallapi\.dll|\\+flightsettings\.dll|\\+fltlib\.dll|\\+fveapi\.dll|\\+fwbase\.dll|\\+fwcfg\.dll|\\+fwpolicyiomgr\.dll|\\+fwpuclnt\.dll|\\+getuname\.dll|\\+hid\.dll|\\+hnetmon\.dll|\\+httpapi\.dll|\\+idstore\.dll|\\+ieadvpack\.dll|\\+iedkcs32\.dll|\\+iernonce\.dll|\\+iertutil\.dll|\\+ifmon\.dll|\\+iphlpapi\.dll|\\+iri\.dll|\\+iscsidsc\.dll|\\+iscsium\.dll|\\+isv\.exe_rsaenh\.dll|\\+joinutil\.dll|\\+ksuser\.dll|\\+ktmw32\.dll|\\+licensemanagerapi\.dll|\\+licensingdiagspp\.dll|\\+linkinfo\.dll|\\+loadperf\.dll|\\+logoncli\.dll|\\+logoncontroller\.dll|\\+lpksetupproxyserv\.dll|\\+magnification\.dll|\\+mapistub\.dll|\\+mfcore\.dll|\\+mfplat\.dll|\\+mi\.dll|\\+midimap\.dll|\\+miutils\.dll|\\+mlang\.dll|\\+mmdevapi\.dll|\\+mobilenetworking\.dll|\\+mpr\.dll|\\+mprapi\.dll|\\+mrmcorer\.dll|\\+msacm32\.dll|\\+mscms\.dll|\\+mscoree\.dll|\\+msctf\.dll|\\+msctfmonitor\.dll|\\+msdrm\.dll|\\+msftedit\.dll|\\+msi\.dll|\\+msutb\.dll|\\+mswb7\.dll|\\+mswsock\.dll|\\+msxml3\.dll|\\+mtxclu\.dll|\\+napinsp\.dll|\\+ncrypt\.dll|\\+ndfapi\.dll|\\+netid\.dll|\\+netiohlp\.dll|\\+netplwiz\.dll|\\+netprofm\.dll|\\+netsetupapi\.dll|\\+netshell\.dll|\\+netutils\.dll|\\+networkexplorer\.dll|\\+newdev\.dll|\\+ninput\.dll|\\+nlaapi\.dll|\\+nlansp_c\.dll|\\+npmproxy\.dll|\\+nshhttp\.dll|\\+nshipsec\.dll|\\+nshwfp\.dll|\\+ntdsapi\.dll|\\+ntlanman\.dll|\\+ntlmshared\.dll|\\+ntmarta\.dll|\\+ntshrui\.dll|\\+oleacc\.dll|\\+omadmapi\.dll|\\+onex\.dll|\\+osbaseln\.dll|\\+osuninst\.dll|\\+p2p\.dll|\\+p2pnetsh\.dll|\\+p9np\.dll|\\+pcaui\.dll|\\+pdh\.dll|\\+peerdistsh\.dll|\\+pla\.dll|\\+pnrpnsp\.dll|\\+policymanager\.dll|\\+polstore\.dll|\\+printui\.dll|\\+propsys\.dll|\\+prvdmofcomp\.dll|\\+puiapi\.dll|\\+radcui\.dll|\\+rasapi32\.dll|\\+rasgcw\.dll|\\+rasman\.dll|\\+rasmontr\.dll|\\+reagent\.dll|\\+regapi\.dll|\\+resutils\.dll|\\+rmclient\.dll|\\+rpcnsh\.dll|\\+rsaenh\.dll|\\+rtutils\.dll|\\+rtworkq\.dll|\\+samcli\.dll|\\+samlib\.dll|\\+sapi_onecore\.dll|\\+sas\.dll|\\+scansetting\.dll|\\+scecli\.dll|\\+schedcli\.dll|\\+secur32\.dll|\\+shell32\.dll|\\+slc\.dll|\\+snmpapi\.dll|\\+spp\.dll|\\+sppc\.dll|\\+srclient\.dll|\\+srpapi\.dll|\\+srvcli\.dll|\\+ssp\.exe_rsaenh\.dll|\\+ssp_isv\.exe_rsaenh\.dll|\\+sspicli\.dll|\\+ssshim\.dll|\\+staterepository\.core\.dll|\\+structuredquery\.dll|\\+sxshared\.dll|\\+tapi32\.dll|\\+tbs\.dll|\\+tdh\.dll|\\+tquery\.dll|\\+tsworkspace\.dll|\\+ttdrecord\.dll|\\+twext\.dll|\\+twinapi\.dll|\\+twinui\.appcore\.dll|\\+uianimation\.dll|\\+uiautomationcore\.dll|\\+uireng\.dll|\\+uiribbon\.dll|\\+updatepolicy\.dll|\\+userenv\.dll|\\+utildll\.dll|\\+uxinit\.dll|\\+uxtheme\.dll|\\+vaultcli\.dll|\\+virtdisk\.dll|\\+vssapi\.dll|\\+vsstrace\.dll|\\+wbemprox\.dll|\\+wbemsvc\.dll|\\+wcmapi\.dll|\\+wcnnetsh\.dll|\\+wdi\.dll|\\+wdscore\.dll|\\+webservices\.dll|\\+wecapi\.dll|\\+wer\.dll|\\+wevtapi\.dll|\\+whhelper\.dll|\\+wimgapi\.dll|\\+winbrand\.dll|\\+windows\.storage\.dll|\\+windows\.storage\.search\.dll|\\+windowscodecs\.dll|\\+windowscodecsext\.dll|\\+windowsudk\.shellcommon\.dll|\\+winhttp\.dll|\\+wininet\.dll|\\+winipsec\.dll|\\+winmde\.dll|\\+winmm\.dll|\\+winnsi\.dll|\\+winrnr\.dll|\\+winsqlite3\.dll|\\+winsta\.dll|\\+wkscli\.dll|\\+wlanapi\.dll|\\+wlancfg\.dll|\\+wldp\.dll|\\+wlidprov\.dll|\\+wmiclnt\.dll|\\+wmidcom\.dll|\\+wmiutils\.dll|\\+wmsgapi\.dll|\\+wofutil\.dll|\\+wpdshext\.dll|\\+wshbth\.dll|\\+wshelper\.dll|\\+wtsapi32\.dll|\\+wwapi\.dll|\\+xmllite\.dll|\\+xolehlp\.dll|\\+xwizards\.dll|\\+xwtpw32\.dll|\\+aclui\.dll|\\+bderepair\.dll|\\+bootmenuux\.dll|\\+dcntel\.dll|\\+dwmcore\.dll|\\+dynamoapi\.dll|\\+fhsvcctl\.dll|\\+fxsst\.dll|\\+inproclogger\.dll|\\+iumbase\.dll|\\+kdstub\.dll|\\+maintenanceui\.dll|\\+mdmdiagnostics\.dll|\\+mintdh\.dll|\\+msdtctm\.dll|\\+nettrace\.dll|\\+osksupport\.dll|\\+reseteng\.dll|\\+resetengine\.dll|\\+spectrumsyncclient\.dll|\\+srcore\.dll|\\+systemsettingsthresholdadminflowui\.dll|\\+timesync\.dll|\\+upshared\.dll|\\+wmpdui\.dll|\\+wwancfg\.dll|\\+dpx\.dll|\\+fxsapi\.dll|\\+fxstiff\.dll|\\+xpsservices\.dll|\\+appvpolicy\.dll|\\+batmeter\.dll|\\+bootux\.dll|\\+cmutil\.dll|\\+configmanager2\.dll|\\+coredplus\.dll|\\+coreuicomponents\.dll|\\+cryptsp\.dll|\\+dmcommandlineutils\.dll|\\+drvstore\.dll|\\+dsprop\.dll|\\+dxcore\.dll|\\+edgeiso\.dll|\\+framedynos\.dll|\\+fveskybackup\.dll|\\+fvewiz\.dll|\\+gpapi\.dll|\\+icmp\.dll|\\+ifsutil\.dll|\\+iumsdk\.dll|\\+lockhostingframework\.dll|\\+lrwizdll\.dll|\\+mbaexmlparser\.dll|\\+mfc42u\.dll|\\+msiso\.dll|\\+msvcp110_win\.dll|\\+netapi32\.dll|\\+netjoin\.dll|\\+netprovfw\.dll|\\+opcservices\.dll|\\+pkeyhelper\.dll|\\+playsndsrv\.dll|\\+powrprof\.dll|\\+prntvpt\.dll|\\+profapi\.dll|\\+proximitycommon\.dll|\\+proximityservicepal\.dll|\\+rasdlg\.dll|\\+security\.dll|\\+sppcext\.dll|\\+srmtrace\.dll|\\+tpmcoreprovisioning\.dll|\\+umpdc\.dll|\\+unattend\.dll|\\+urlmon\.dll|\\+vdsutil\.dll|\\+version\.dll|\\+winbio\.dll|\\+windows\.ui\.immersive\.dll|\\+winscard\.dll|\\+winsync\.dll|\\+wscapi\.dll|\\+wsmsvc\.dll|\\+FxsCompose\.dll|\\+WfsR\.dll|\\+rpchttp\.dll|\\+storageusage\.dll|\\+amsi\.dll|\\+PrintIsolationProxy\.dll|\\+msdtcVSp1res\.dll|\\+rdpendp\.dll|\\+dxilconv\.dll|\\+utcutil\.dll|\\+appraiser\.dll|\\+dsound\.dll|\\+DispBroker\.dll|\\+FXSRESM\.DLL|\\+cryptnet\.dll|\\+COMRES\.DLL|\\+igdumdim64\.dll|\\+igd10iumd64\.dll|\\+igd12umd64\.dll|\\+igdusc64\.dll|\\+WLBSCTRL\.dll|\\+TSMSISrv\.dll|\\+TSVIPSrv\.dll|\\+wow64log\.dll|\\+WptsExtensions\.dll|\\+wbemcomn\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+mswb7\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Arsenal\-Image\-Mounter\-</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+mi\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+miutils\.dl)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+Common\ Files\\+microsoft\ shared\\+ClickToRun\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+Common\ Files\\+microsoft\ shared\\+ClickToRun\\+AppVPolicy\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+DellInc\.DellSupportAssistforPCs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+backgroundTaskHost\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WindowsApps\\+DellInc\.DellSupportAssistforPCs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+DellInc\.DellSupportAssistforPCs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wldp\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+CheckPoint\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+CheckPoint\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SmartConsole\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+CheckPoint\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+CheckPoint\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+PolicyManager\.dll)$</field>
    </rule>
    <rule id="900697" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_goopdate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Goopdate.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+goopdate\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
    </rule>
    <rule id="900698" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_goopdate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Goopdate.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+goopdate\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+GUM</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\.tmp\\+Dropbox</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+GUM</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\.tmp\\+goopdate\.dll</field>
    </rule>
    <rule id="900699" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_gup_libcurl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gup\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libcurl\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
    </rule>
    <rule id="900700" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_iviewers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Iviewers.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+iviewers\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Kits\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Kits\\+)</field>
    </rule>
    <rule id="900701" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via JsSchHlp</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+JSESPR\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Justsystem\\+JsSchHlp\\+)</field>
    </rule>
    <rule id="900702" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Libvlc.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libvlc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+VideoLAN\\+VLC\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+VideoLAN\\+VLC\\+)</field>
    </rule>
    <rule id="900703" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Mfdetours.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+mfdetours\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Windows\ Kits\\+10\\+bin\\+</field>
    </rule>
    <rule id="900704" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Unsigned Mfdetours.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+mfdetours\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Windows\ Kits\\+10\\+bin\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)Valid</field>
    </rule>
    <rule id="900705" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of Non-Existent DLLs From System Folders</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+TSMSISrv\.dll|:\\+Windows\\+System32\\+TSVIPSrv\.dll|:\\+Windows\\+System32\\+wbem\\+wbemcomn\.dll|:\\+Windows\\+System32\\+WLBSCTRL\.dll|:\\+Windows\\+System32\\+wow64log\.dll|:\\+Windows\\+System32\\+WptsExtensions\.dll)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)true</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)Valid</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)Microsoft\ Windows</field>
    </rule>
    <rule id="900706" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Microsoft Office DLL Sideload</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+outllib\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+OFFICE)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+OFFICE)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+Root\\+OFFICE)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+Root\\+OFFICE)</field>
    </rule>
    <rule id="900707" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rcdll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Rcdll.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+rcdll\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Kits\\+)</field>
    </rule>
    <rule id="900708" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential RjvPlatform.DLL Sideloading From Default Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+SystemResetPlatform\\+SystemResetPlatform\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)C:\\+\$SysReset\\+Framework\\+Stack\\+RjvPlatform\.dll</field>
    </rule>
    <rule id="900709" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential RjvPlatform.DLL Sideloading From Non-Default Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RjvPlatform\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+SystemResetPlatform\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+SystemResetPlatform\\+)</field>
    </rule>
    <rule id="900710" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential RoboForm.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+roboform\.dll|\\+roboform\-x64\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:\ C:\\+Program\ Files\ $x86$\\+Siber\ Systems\\+AI\ RoboForm\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:\ C:\\+Program\ Files\\+Siber\ Systems\\+AI\ RoboForm\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+robotaskbaricon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+robotaskbaricon\-x64\.exe)$</field>
    </rule>
    <rule id="900711" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shelldispatch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential ShellDispatch.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ShellDispatch\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900712" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DLL Sideloading Of ShellChromeAPI.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ShellChromeAPI\.dll)$</field>
    </rule>
    <rule id="900713" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential SmadHook.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+SmadHook32c\.dll|\\+SmadHook64c\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+SMADAV\\+SmadavProtect32\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+SMADAV\\+SmadavProtect64\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+SMADAV\\+SmadavProtect32\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+SMADAV\\+SmadavProtect64\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SMADAV\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SMADAV\\+)</field>
    </rule>
    <rule id="900714" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential SolidPDFCreator.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+SolidPDFCreator\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SolidPDFCreator\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SolidDocuments\\+SolidPDFCreator\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SolidDocuments\\+SolidPDFCreator\\+)</field>
    </rule>
    <rule id="900715" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Third Party Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+commfunc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+local\\+Google\\+Chrome\\+Application\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Lenovo\\+Communications\ Utility\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Lenovo\\+Communications\ Utility\\+)</field>
    </rule>
    <rule id="900716" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Third Party Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+commfunc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+tosbtkbd\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Toshiba\\+Bluetooth\ Toshiba\ Stack\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Toshiba\\+Bluetooth\ Toshiba\ Stack\\+)</field>
    </rule>
    <rule id="900717" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ualapi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Fax Service DLL Search Order Hijack</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fxssvc\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:ualapi\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900718" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Vivaldi_elf.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vivaldi_elf\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Vivaldi\\+Application\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+Vivaldi\\+Application\\+</field>
    </rule>
    <rule id="900719" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>VMGuestLib DLL Sideload</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+vmStatsProvider\\+win32</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+vmGuestLib\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Windows\\+System32\\+wbem\\+WmiApSrv\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)true</field>
    </rule>
    <rule id="900720" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>VMMap Signed Dbghelp.DLL Potential Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)C:\\+Debuggers\\+dbghelp\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+vmmap\.exe|\\+vmmap64\.exe)$</field>
        <field name="win.eventdata.signed" negate="no" type="pcre2">(?i)true</field>
    </rule>
    <rule id="900721" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>VMMap Unsigned Dbghelp.DLL Potential Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)C:\\+Debuggers\\+dbghelp\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+vmmap\.exe|\\+vmmap64\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)true</field>
    </rule>
    <rule id="900722" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmware_xfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via VMware Xfer</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VMwareXferlogs\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+glib\-2\.0\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+VMware\\+)</field>
    </rule>
    <rule id="900723" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_waveedit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Waveedit.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+waveedit\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+waveedit\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+waveedit\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+)</field>
    </rule>
    <rule id="900724" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wazuh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Wazuh Security Platform DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libwazuhshared\.dll|\\+libwinpthread\-1\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900725" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wazuh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Wazuh Security Platform DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libwazuhshared\.dll|\\+libwinpthread\-1\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+ProgramData\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+mingw64\\+bin\\+libwinpthread\-1\.dll)$</field>
    </rule>
    <rule id="900726" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_windows_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Mpclient.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+mpclient\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MpCmdRun\.exe|\\+NisSrv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Security\ Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900727" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential WWlib.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wwlib\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+)</field>
    </rule>
    <rule id="900728" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>Windows Spooler Service Suspicious Binary Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Windows\\+System32\\+spool\\+drivers\\+x64\\+3\\+|\\+Windows\\+System32\\+spool\\+drivers\\+x64\\+4\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900729" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>DLL Load By System Process From Suspicious Locations</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+Public\\+|C:\\+PerfLogs\\+)</field>
    </rule>
    <rule id="900730" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.002</id>
        </mitre>
        <description>Python Image Load By Non-Python Process</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Python\ Core</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Python</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Anaconda3\\+)</field>
    </rule>
    <rule id="900731" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.002</id>
        </mitre>
        <description>Python Image Load By Non-Python Process</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Python\ Core</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900732" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>DotNet CLR DLL Loaded By Scripting Applications</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+msxsl\.exe|\\+regsvr32\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+clr\.dll|\\+mscoree\.dll|\\+mscorlib\.dll)$</field>
    </rule>
    <rule id="900733" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218.011</id>
            <id>attack.t1218.010</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Unsigned DLL Loaded by Windows Utility</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+InstallUtil\.exe|\\+RegAsm\.exe|\\+RegSvcs\.exe|\\+regsvr32\.exe|\\+rundll32\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)true</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)errorChaining</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)errorCode_endpoint</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)errorExpired</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)trusted</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)\-</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)None</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\-</field>
    </rule>
    <rule id="900734" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_thor_unsigned_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Suspicious Unsigned Thor Scanner Execution</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+thor\.exe|\\+thor64\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+thor\.exe|\\+thor64\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)true</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)valid</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)Nextron\ Systems\ GmbH</field>
    </rule>
    <rule id="900735" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Iscsicpl - ImageLoad</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+iscsicpl\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+iscsiexe\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)iscsiexe\.dll</field>
    </rule>
    <rule id="900736" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>UAC Bypass With Fake DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dism\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dismcore\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+Dism\\+dismcore\.dll</field>
    </rule>
    <rule id="900737" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>WMIC Loading Scripting Libraries</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+jscript\.dll|\\+vbscript\.dll)$</field>
    </rule>
    <rule id="900738" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Wmiprvse Wbemcomn DLL Hijack</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmiprvse\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wbem\\+wbemcomn\.dll)$</field>
    </rule>
    <rule id="900739" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1546.003</id>
            <id>attack.persistence</id>
        </mitre>
        <description>WMI Persistence - Command Line Event Consumer</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wbemcons\.dll)$</field>
    </rule>
    <rule id="900740" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious WSMAN Provider Image Loads</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+WsmSvc\.dll|\\+WsmAuto\.dll|\\+Microsoft\.WSMan\.Management\.ni\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)WsmSvc\.dll|WSMANAUTOMATION\.DLL|Microsoft\.WSMan\.Management\.dll</field>
    </rule>
    <rule id="900741" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious WSMAN Provider Image Loads</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)WsmWmiPl\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+System32\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ BITS</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ GraphicsPerfSvcGroup\ \-s\ GraphicsPerfSvc</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ NetworkService\ \-p\ \-s\ Wecsvc</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ netsvcs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework64\\+v)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework\\+v)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mscorsvw\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+Configure\-SMRemoting\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+ServerManager\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+asgard2\-agent\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Citrix\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WINDOWS\.\~BT\\+Sources\\+)</field>
    </rule>
    <rule id="900742" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious WSMAN Provider Image Loads</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)WsmWmiPl\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900743" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_addinutil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Network Connection Initiated By AddinUtil.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
    </rule>
    <rule id="900744" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Connection Initiated Via Certutil.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)80|135|443|445</field>
    </rule>
    <rule id="900745" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
        </mitre>
        <description>Dllhost.EXE Initiated Network Connection To Non-Local IP Address</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.184\.0\.0/13</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.192\.0\.0/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)23\.72\.0\.0/13</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.10\.0\.0/15</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.103\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.104\.0\.0/15</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)52\.224\.0\.0/11</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)204\.79\.197\.0/24</field>
    </rule>
    <rule id="900746" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Network Connection Initiated To Mega.nz</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:mega\.co\.nz|mega\.nz)$</field>
    </rule>
    <rule id="900747" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Process Initiated Network  Connection To Ngrok Domain</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.ngrok\-free\.app|\.ngrok\-free\.dev|\.ngrok\.app|\.ngrok\.dev|\.ngrok\.io)$</field>
    </rule>
    <rule id="900748" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.command_and_control</id>
            <id>attack.t1567</id>
            <id>attack.t1568.002</id>
            <id>attack.t1572</id>
            <id>attack.t1090</id>
            <id>attack.t1102</id>
            <id>attack.s0508</id>
        </mitre>
        <description>Communication To Ngrok Tunneling Service Initiated</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)tunnel\.us\.ngrok\.com|tunnel\.eu\.ngrok\.com|tunnel\.ap\.ngrok\.com|tunnel\.au\.ngrok\.com|tunnel\.sa\.ngrok\.com|tunnel\.jp\.ngrok\.com|tunnel\.in\.ngrok\.com</field>
    </rule>
    <rule id="900749" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
        </mitre>
        <description>Equation Editor Network Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+eqnedt32\.exe)$</field>
    </rule>
    <rule id="900750" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Network Connection Initiated By IMEWDBLD.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+IMEWDBLD\.exe)$</field>
    </rule>
    <rule id="900751" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec_http.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>Msiexec.EXE Initiated Network Connection Over HTTP</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)80|443</field>
    </rule>
    <rule id="900752" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Network Connection Initiated Via Notepad.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+notepad\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)9100</field>
    </rule>
    <rule id="900753" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Potentially Suspicious Network Connection To Notion API</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)api\.notion\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Notion\\+Notion\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900754" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
        </mitre>
        <description>Office Application Initiated Network Connection To Non-Local IP</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+powerpnt\.exe|\\+winword\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.184\.0\.0/13</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.192\.0\.0/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)23\.72\.0\.0/13</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.10\.0\.0/15</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.103\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.104\.0\.0/15</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)204\.79\.197\.0/24</field>
    </rule>
    <rule id="900755" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Office Application Initiated Network Connection Over Uncommon Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)53</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)80</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)139</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)443</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)445</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)465</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)587</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)993</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)995</field>
    </rule>
    <rule id="900756" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>Python Initiated Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)python</field>
        <field name="win.eventdata.destinationIp" negate="yes" type="pcre2">(?i)127\.0\.0\.1</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.1</field>
    </rule>
    <rule id="900757" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>Python Initiated Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)python</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Anaconda3\\+Scripts\\+conda\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Anaconda3\\+Scripts\\+conda\-script\.py</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)update</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Anaconda3\\+python\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Anaconda3\\+Scripts\\+jupyter\-notebook\-script\.py</field>
    </rule>
    <rule id="900758" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Outbound RDP Connections Over Non-Standard Tools</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)3389</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+mstsc\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+mstsc\.exe</field>
    </rule>
    <rule id="900759" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Outbound RDP Connections Over Non-Standard Tools</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)3389</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+dns\.exe</field>
        <field name="win.eventdata.sourcePort" negate="yes" type="pcre2">(?i)53</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)udp</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Avast\ Software\\+Avast\\+AvastSvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Avast\\+AvastSvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RDCMan\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+FSAssessment\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+FSDiscovery\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MobaRTE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mRemote\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mRemoteNG\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Passwordstate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RemoteDesktopManager\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RemoteDesktopManager64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RemoteDesktopManagerFree\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RSSensor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RTS2App\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RTSApp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+spiceworks\-finder\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Terminals\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ws_TunnelService\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SplunkUniversalForwarder\\+bin\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Ranger\\+SentinelRanger\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+TSplus\\+Java\\+bin\\+HTML5service\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+TSplus\\+Java\\+bin\\+HTML5service\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)&lt;unknown\ process&gt;</field>
    </rule>
    <rule id="900760" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>RDP to HTTP or HTTPS Target Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.sourcePort" negate="no" type="pcre2">(?i)3389</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)80|443</field>
    </rule>
    <rule id="900761" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Network Connection Initiated By Regsvr32.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
    </rule>
    <rule id="900762" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.execution</id>
        </mitre>
        <description>Rundll32 Internet Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.103\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.104\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.105\.0\.0/16</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+system32\\+PcaSvc\.dll,PcaPatchSdbTask)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\.internal\.cloudapp\.net)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)443</field>
    </rule>
    <rule id="900763" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Script Initiated Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
    </rule>
    <rule id="900764" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Script Initiated Connection to Non-Local Network</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.0\.0\.0/11</field>
    </rule>
    <rule id="900765" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1127.001</id>
        </mitre>
        <description>Silenttrinity Stager Msbuild Activity</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msbuild\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)80|443</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
    </rule>
    <rule id="900766" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Network Connection Binary No CommandLine</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe|\\+rundll32\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe|\\+rundll32\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900767" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.003</id>
        </mitre>
        <description>Cmstp Making Network Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
    </rule>
    <rule id="900768" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1496</id>
        </mitre>
        <description>Network Communication With Crypto Mining Pool</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)alimabi\.cn|ap\.luckpool\.net|bcn\.pool\.minergate\.com|bcn\.vip\.pool\.minergate\.com|bohemianpool\.com|ca\-aipg\.miningocean\.org|ca\-dynex\.miningocean\.org|ca\-neurai\.miningocean\.org|ca\-qrl\.miningocean\.org|ca\-upx\.miningocean\.org|ca\-zephyr\.miningocean\.org|ca\.minexmr\.com|ca\.monero\.herominers\.com|cbd\.monerpool\.org|cbdv2\.monerpool\.org|cryptmonero\.com|crypto\-pool\.fr|crypto\-pool\.info|cryptonight\-hub\.miningpoolhub\.com|d1pool\.ddns\.net|d5pool\.us|daili01\.monerpool\.org|de\-aipg\.miningocean\.org|de\-dynex\.miningocean\.org|de\-zephyr\.miningocean\.org|de\.minexmr\.com|dl\.nbminer\.com|donate\.graef\.in|donate\.ssl\.xmrig\.com|donate\.v2\.xmrig\.com|donate\.xmrig\.com|donate2\.graef\.in|drill\.moneroworld\.com|dwarfpool\.com|emercoin\.com|emercoin\.net|emergate\.net|ethereumpool\.co|eu\.luckpool\.net|eu\.minerpool\.pw|fcn\-xmr\.pool\.minergate\.com|fee\.xmrig\.com|fr\-aipg\.miningocean\.org|fr\-dynex\.miningocean\.org|fr\-neurai\.miningocean\.org|fr\-qrl\.miningocean\.org|fr\-upx\.miningocean\.org|fr\-zephyr\.miningocean\.org|fr\.minexmr\.com|hellominer\.com|herominers\.com|hk\-aipg\.miningocean\.org|hk\-dynex\.miningocean\.org|hk\-neurai\.miningocean\.org|hk\-qrl\.miningocean\.org|hk\-upx\.miningocean\.org|hk\-zephyr\.miningocean\.org|huadong1\-aeon\.ppxxmr\.com|iwanttoearn\.money|jw\-js1\.ppxxmr\.com|koto\-pool\.work|lhr\.nbminer\.com|lhr3\.nbminer\.com|linux\.monerpool\.org|lokiturtle\.herominers\.com|luckpool\.net|masari\.miner\.rocks|mine\.c3pool\.com|mine\.moneropool\.com|mine\.ppxxmr\.com|mine\.zpool\.ca|mine1\.ppxxmr\.com|minemonero\.gq|miner\.ppxxmr\.com|miner\.rocks|minercircle\.com|minergate\.com|minerpool\.pw|minerrocks\.com|miners\.pro|minerxmr\.ru|minexmr\.cn|minexmr\.com|mining\-help\.ru|miningpoolhub\.com|mixpools\.org|moner\.monerpool\.org|moner1min\.monerpool\.org|monero\-master\.crypto\-pool\.fr|monero\.crypto\-pool\.fr|monero\.hashvault\.pro|monero\.herominers\.com|monero\.lindon\-pool\.win|monero\.miners\.pro|monero\.riefly\.id|monero\.us\.to|monerocean\.stream|monerogb\.com|monerohash\.com|moneroocean\.stream|moneropool\.com|moneropool\.nl|monerorx\.com|monerpool\.org|moriaxmr\.com|mro\.pool\.minergate\.com|multipool\.us|myxmr\.pw|na\.luckpool\.net|nanopool\.org|nbminer\.com|node3\.luckpool\.net|noobxmr\.com|pangolinminer\.comgandalph3000\.com|pool\.4i7i\.com|pool\.armornetwork\.org|pool\.cortins\.tk|pool\.gntl\.co\.uk|pool\.hashvault\.pro|pool\.minergate\.com|pool\.minexmr\.com|pool\.monero\.hashvault\.pro|pool\.ppxxmr\.com|pool\.somec\.cc|pool\.support|pool\.supportxmr\.com|pool\.usa\-138\.com|pool\.xmr\.pt|pool\.xmrfast\.com|pool2\.armornetwork\.org|poolchange\.ppxxmr\.com|pooldd\.com|poolmining\.org|poolto\.be|ppxvip1\.ppxxmr\.com|ppxxmr\.com|prohash\.net|r\.twotouchauthentication\.online|randomx\.xmrig\.com|ratchetmining\.com|seed\.emercoin\.com|seed\.emercoin\.net|seed\.emergate\.net|seed1\.joulecoin\.org|seed2\.joulecoin\.org|seed3\.joulecoin\.org|seed4\.joulecoin\.org|seed5\.joulecoin\.org|seed6\.joulecoin\.org|seed7\.joulecoin\.org|seed8\.joulecoin\.org|sg\-aipg\.miningocean\.org|sg\-dynex\.miningocean\.org|sg\-neurai\.miningocean\.org|sg\-qrl\.miningocean\.org|sg\-upx\.miningocean\.org|sg\-zephyr\.miningocean\.org|sg\.minexmr\.com|sheepman\.mine\.bz|siamining\.com|sumokoin\.minerrocks\.com|supportxmr\.com|suprnova\.cc|teracycle\.net|trtl\.cnpool\.cc|trtl\.pool\.mine2gether\.com|turtle\.miner\.rocks|us\-aipg\.miningocean\.org|us\-dynex\.miningocean\.org|us\-neurai\.miningocean\.org|us\-west\.minexmr\.com|us\-zephyr\.miningocean\.org|usxmrpool\.com|viaxmr\.com|webservicepag\.webhop\.net|xiazai\.monerpool\.org|xiazai1\.monerpool\.org|xmc\.pool\.minergate\.com|xmo\.pool\.minergate\.com|xmr\-asia1\.nanopool\.org|xmr\-au1\.nanopool\.org|xmr\-eu1\.nanopool\.org|xmr\-eu2\.nanopool\.org|xmr\-jp1\.nanopool\.org|xmr\-us\-east1\.nanopool\.org|xmr\-us\-west1\.nanopool\.org|xmr\-us\.suprnova\.cc|xmr\-usa\.dwarfpool\.com|xmr\.2miners\.com|xmr\.5b6b7b\.ru|xmr\.alimabi\.cn|xmr\.bohemianpool\.com|xmr\.crypto\-pool\.fr|xmr\.crypto\-pool\.info|xmr\.f2pool\.com|xmr\.hashcity\.org|xmr\.hex7e4\.ru|xmr\.ip28\.net|xmr\.monerpool\.org|xmr\.mypool\.online|xmr\.nanopool\.org|xmr\.pool\.gntl\.co\.uk|xmr\.pool\.minergate\.com|xmr\.poolto\.be|xmr\.ppxxmr\.com|xmr\.prohash\.net|xmr\.simka\.pw|xmr\.somec\.cc|xmr\.suprnova\.cc|xmr\.usa\-138\.com|xmr\.vip\.pool\.minergate\.com|xmr1min\.monerpool\.org|xmrf\.520fjh\.org|xmrf\.fjhan\.club|xmrfast\.com|xmrigcc\.graef\.in|xmrminer\.cc|xmrpool\.de|xmrpool\.eu|xmrpool\.me|xmrpool\.net|xmrpool\.xyz|xx11m\.monerpool\.org|xx11mv2\.monerpool\.org|xxx\.hex7e4\.ru|zarabotaibitok\.ru|zer0day\.ru</field>
    </rule>
    <rule id="900769" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
            <id>attack.t1102.001</id>
        </mitre>
        <description>Potential Dead Drop Resolvers</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.t\.me|4shared\.com|anonfiles\.com|cdn\.discordapp\.com|cloudflare\.com|ddns\.net|discord\.com|docs\.google\.com|drive\.google\.com|dropbox\.com|dropmefiles\.com|facebook\.com|feeds\.rapidfeeds\.com|fotolog\.com|ghostbin\.co/|githubusercontent\.com|gofile\.io|hastebin\.com|imgur\.com|livejournal\.com|mediafire\.com|mega\.co\.nz|mega\.nz|onedrive\.com|paste\.ee|pastebin\.com|pastebin\.pl|pastetext\.net|privatlab\.com|privatlab\.net|reddit\.com|send\.exploit\.in|sendspace\.com|steamcommunity\.com|storage\.googleapis\.com|technet\.microsoft\.com|temp\.sh|transfer\.sh|twitter\.com|ufile\.io|abuse\.ch|vimeo\.com|wetransfer\.com|youtube\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Safari\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Safari\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Defender\ Advanced\ Threat\ Protection\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsSense\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\ $x86$\\+PRTG\ Network\ Monitor\\+PRTG\ Probe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+PRTG\ Network\ Monitor\\+PRTG\ Probe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+BraveSoftware\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Maxthon\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+Opera\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Vivaldi\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Waterfox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+midori\-ng\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Midori\ Next\ Generation\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+slimbrowser\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Flock\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Flock\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Phoebe\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Phoebe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+falkon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+QtWeb\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+QtWeb\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+QtWeb\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+avant\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+WindowsApps\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WhatsApp\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:facebook\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Telegram\ Desktop\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Telegram\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:\.t\.me)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OneDrive\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:onedrive\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Dropbox\\+Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Dropbox\\+Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Dropbox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+DropboxInstaller\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:dropbox\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsync\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsyncSetup32_.+RC\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsyncSetup32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsyncSetup64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAupdater\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:mega\.co\.nz)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:mega\.nz)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:GoogleDriveFS\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:drive\.google\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Discord\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Discord\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:discord\.com)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:cdn\.discordapp\.com)$</field>
    </rule>
    <rule id="900770" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Network Connection Initiated To DevTunnels Domain</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.devtunnels\.ms)$</field>
    </rule>
    <rule id="900771" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Dropbox API Usage</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:api\.dropboxapi\.com|content\.dropboxapi\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Dropbox</field>
    </rule>
    <rule id="900772" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1016</id>
        </mitre>
        <description>Suspicious Network Connection to IP Lookup Service APIs</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)www\.ip\.cn|l2\.io</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)api\.2ip\.ua|api\.bigdatacloud\.net|api\.ipify\.org|bot\.whatismyipaddress\.com|canireachthe\.net|checkip\.amazonaws\.com|checkip\.dyndns\.org|curlmyip\.com|db\-ip\.com|edns\.ip\-api\.com|eth0\.me|freegeoip\.app|geoipy\.com|getip\.pro|icanhazip\.com|ident\.me|ifconfig\.io|ifconfig\.me|ip\-api\.com|ip\.360\.cn|ip\.anysrc\.net|ip\.taobao\.com|ip\.tyk\.nu|ipaddressworld\.com|ipapi\.co|ipconfig\.io|ipecho\.net|ipinfo\.io|ipip\.net|ipof\.in|ipv4\.icanhazip\.com|ipv4bot\.whatismyipaddress\.com|ipv6\-test\.com|ipwho\.is|jsonip\.com|myexternalip\.com|seeip\.org|wgetip\.com|whatismyip\.akamai\.com|whois\.pconline\.com\.cn|wtfismyip\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900773" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Suspicious Non-Browser Network Communication With Google API</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)drive\.googleapis\.com|oauth2\.googleapis\.com|sheets\.googleapis\.com|www\.googleapis\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+GoogleDriveFS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\\+EdgeCore\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+GoogleUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+teams\.exe)$</field>
    </rule>
    <rule id="900774" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Potentially Suspicious Malware Callback Communication</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)100|198|200|243|473|666|700|743|777|1443|1515|1777|1817|1904|1960|2443|2448|3360|3675|3939|4040|4433|4438|4443|4444|4455|5445|5552|5649|6625|7210|7777|8143|8843|9631|9943|10101|12102|12103|12322|13145|13394|13504|13505|13506|13507|14102|14103|14154|49180|65520|65535</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
    </rule>
    <rule id="900775" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Potentially Suspicious Malware Callback Communication</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)100|198|200|243|473|666|700|743|777|1443|1515|1777|1817|1904|1960|2443|2448|3360|3675|3939|4040|4433|4438|4443|4444|4455|5445|5552|5649|6625|7210|7777|8143|8843|9631|9943|10101|12102|12103|12322|13145|13394|13504|13505|13506|13507|14102|14103|14154|49180|65520|65535</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900776" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Communication To Uncommon Destination Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)8080|8888</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
    </rule>
    <rule id="900777" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Communication To Uncommon Destination Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)8080|8888</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900778" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)88</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+lsass\.exe</field>
    </rule>
    <rule id="900779" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)88</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+tomcat\\+bin\\+tomcat8\.exe)$</field>
    </rule>
    <rule id="900780" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1055</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Microsoft Sync Center Suspicious Network Connections</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mobsync\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
    </rule>
    <rule id="900781" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>Suspicious Outbound SMTP Connections</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)25|587|465|2525</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thunderbird\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+microsoft\.windowscommunicationsapps_)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+HxTsr\.exe)$</field>
    </rule>
    <rule id="900782" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Program Location with Network Connections</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+\$Recycle\.bin|:\\+Perflogs\\+|:\\+Users\\+Default\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Fonts\\+|:\\+Windows\\+IME\\+|\\+config\\+systemprofile\\+|\\+Windows\\+addins\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+Public\\+IBM\\+ClientSolutions\\+Start_Programs\\+</field>
    </rule>
    <rule id="900783" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Potential Remote PowerShell Session Initiated</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)5985|5986</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="full_log" negate="no" type="pcre2">(?i)false</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)NETWORK\ SERVICE</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)NETZWERKDIENST</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SERVICIO\ DE\ RED</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SERVIZIO\ DI\ RETE</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SERVICE\ R</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SEAU</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.1</field>
        <field name="win.eventdata.destinationIp" negate="yes" type="pcre2">(?i)::1</field>
        <field name="win.eventdata.destinationIp" negate="yes" type="pcre2">(?i)127\.0\.0\.1</field>
    </rule>
    <rule id="900784" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Potential Remote PowerShell Session Initiated</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)5985|5986</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="full_log" negate="no" type="pcre2">(?i)false</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Avast\ Software\\+Avast\\+AvastSvc\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Avast\ Software\\+Avast\\+AvastSvc\.exe</field>
    </rule>
    <rule id="900785" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Suspicious Non-Browser Network Communication With Telegram API</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)api\.telegram\.org</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900786" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Network Connection Initiated To Visual Studio Code Tunnels Domain</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.tunnels\.api\.visualstudio\.com)$</field>
    </rule>
    <rule id="900787" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.command_and_control</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Outbound Network Connection To Public IP Via Winlogon</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winlogon\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
    </rule>
    <rule id="900788" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Suspicious Wordpad Outbound Connections</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)true</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wordpad\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)80</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)139</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)443</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)445</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)465</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)587</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)993</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)995</field>
    </rule>
    <rule id="900789" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Wuauclt Network Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)wuauclt</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /RunHandlerComServer</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)127\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)10\.0\.0\.0/8</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)169\.254\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)172\.16\.0\.0/12</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)192\.168\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)::1/128</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fe80::/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)fc00::/7</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.184\.0\.0/13</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)20\.192\.0\.0/10</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)23\.79\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.10\.0\.0/15</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.103\.0\.0/16</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)51\.104\.0\.0/15</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)52\.224\.0\.0/11</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+Packages\\+Preview\\+amd64\\+updatedeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+amd64\\+UpdateDeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+UpdateDeploy\.dll\ /ClassId\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="900790" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1005</id>
        </mitre>
        <description>ADFS Database Named Pipe Connection By Uncommon Tool</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+MICROSOFT\#\#WID\\+tsql\\+query</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+WID\\+Binn\\+sqlwriter\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AzureADConnect\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.Identity\.Health\.Adfs\.PshSurrogate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.IdentityServer\.ServiceHost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.Tri\.Sensor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+tssdis\.exe)$</field>
    </rule>
    <rule id="900791" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+MSSE\-</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\-server</field>
    </rule>
    <rule id="900792" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+postex_)</field>
    </rule>
    <rule id="900793" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+status_)</field>
    </rule>
    <rule id="900794" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+msagent_)</field>
    </rule>
    <rule id="900795" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+mojo_)</field>
    </rule>
    <rule id="900796" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+interprocess_)</field>
    </rule>
    <rule id="900797" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+samr_)</field>
    </rule>
    <rule id="900798" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+netlogon_)</field>
    </rule>
    <rule id="900799" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+srvsvc_)</field>
    </rule>
    <rule id="900800" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+lsarpc_)</field>
    </rule>
    <rule id="900801" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+wkssvc_)</field>
    </rule>
    <rule id="900802" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe Pattern Regex</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+wkssvc_?[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+ntsvcs[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+DserNamePipe[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+SearchTextHarvester[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+mypipe-(?:f|h)[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+windows\.update\.manager[0-9a-f]{2,3}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+ntsvcs_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+scerpc_?[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+PGMessagePipe[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+MsFteWds[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+f4c3[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+fullduplex_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+msrpc_[0-9a-f]{4}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+win\\+msrpc_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+f53f[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+rpc_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+spoolss_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+Winsock2\\+CatalogChangeListener-[0-9a-f]{3}-0,</field>
    </rule>
    <rule id="900803" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+DserNamePipe|\\+f4c3|\\+f53f|\\+fullduplex_|\\+mojo\.5688\.8052\.183894939787088877|\\+mojo\.5688\.8052\.35780273329370473|\\+MsFteWds|\\+msrpc_|\\+mypipe\-f|\\+mypipe\-h|\\+ntsvcs|\\+PGMessagePipe|\\+rpc_|\\+scerpc|\\+SearchTextHarvester|\\+spoolss|\\+win_svc|\\+win\\+msrpc_|\\+windows\.update\.manager|\\+wkssvc)</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+demoagent_11|\\+demoagent_22</field>
    </rule>
    <rule id="900804" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+Winsock2\\+CatalogChangeListener\-)</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)(?:\-0,)$</field>
    </rule>
    <rule id="900805" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+wkssvc</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+spoolss</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+scerpc</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+ntsvcs</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+SearchTextHarvester</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+PGMessagePipe</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+MsFteWds</field>
    </rule>
    <rule id="900806" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Websense\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Websense\\+</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+DserNamePipeR)</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+DserNamePipeW)</field>
    </rule>
    <rule id="900807" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Named Pipe Creation</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+coerced\\+</field>
    </rule>
    <rule id="900808" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>HackTool - DiagTrackEoP Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)thisispipe</field>
    </rule>
    <rule id="900809" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - EfsPotato Named Pipe Creation</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+pipe\\+|\\+pipe\\+srvsvc</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+CtxShare</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+pipe\\+)</field>
    </rule>
    <rule id="900810" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
        </mitre>
        <description>HackTool - Credential Dumping Tools Named Pipe Created</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+cachedump|\\+lsadump|\\+wceservicepipe</field>
    </rule>
    <rule id="900811" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
            <id>attack.t1134.001</id>
        </mitre>
        <description>HackTool - Koh Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+imposecost|\\+imposingcost</field>
    </rule>
    <rule id="900812" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Alternate PowerShell Hosts Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PSHost)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+dsac\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+inetsrv\\+w3wp\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+sdiagnhost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+ServerManager\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+wbem\\+wmiprvse\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+wsmprovhost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\ SQL\ Server\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Tools\\+Binn\\+SQLPS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="900813" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Alternate PowerShell Hosts Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PSHost)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Citrix\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+</field>
    </rule>
    <rule id="900814" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>New PowerShell Instance Created</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PSHost)</field>
    </rule>
    <rule id="900815" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - CSExec Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+csexecsvc</field>
    </rule>
    <rule id="900816" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - PAExec Default Named Pipe</description>
        <options>no_full_log</options>
        <group>pipe_created,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PAExec)</field>
    </rule>
    <rule id="900817" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - RemCom Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+RemCom</field>
    </rule>
    <rule id="900818" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1047</id>
            <id>attack.execution</id>
        </mitre>
        <description>WMI Event Consumer Created Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+scrcons\.exe)$</field>
    </rule>
    <rule id="900819" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Malicious Named Pipe Created</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+46a676ab7f179e511e30dd2dc41bd388|\\+583da945\-62af\-10e8\-4902\-a8f205c72b2e|\\+6e7645c4\-32c5\-4fe3\-aabf\-e94c2f4370e7|\\+9f81f59bc58452127884ce513865ed20|\\+adschemerpc|\\+ahexec|\\+AnonymousPipe|\\+bc31a7|\\+bc367|\\+bizkaz|\\+csexecsvc|\\+dce_3d|\\+e710f28d59aa529d6792ca6ff0ca1b34|\\+gruntsvc|\\+isapi_dg|\\+isapi_dg2|\\+isapi_http|\\+jaccdpqnvbrrxlaf|\\+lsassw|\\+NamePipe_MoreWindows|\\+pcheap_reuse|\\+Posh|\\+rpchlp_3|\\+sdlrpc|\\+svcctl|\\+testPipe|\\+winsession</field>
    </rule>
    <rule id="900820" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PsExec Tool Execution From Suspicious Locations - PipeName</description>
        <options>no_full_log</options>
        <group>pipe_created,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+PSEXESVC</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+</field>
    </rule>
    <rule id="900821" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Nslookup PowerShell Download Cradle</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)powershell</field>
        <field name="full_log" negate="no" type="pcre2">(?i)nslookup</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\[1\]</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-q=txt\ http|\-querytype=txt\ http</field>
    </rule>
    <rule id="900822" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Delete Volume Shadow Copies Via WMI With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Get\-WmiObject</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Win32_Shadowcopy</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Delete|Remove\-WmiObject</field>
    </rule>
    <rule id="900823" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Downgrade Attack - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)EngineVersion=2\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostVersion=2\.</field>
    </rule>
    <rule id="900824" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1095</id>
        </mitre>
        <description>Netcat The Powershell Version</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)powercat\ |powercat\.ps1</field>
    </rule>
    <rule id="900825" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential RemoteFXvGPUDisablement.EXE Abuse</description>
        <options>no_full_log</options>
        <group>windows,powershell-classic,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)ModuleContents=function\ Get\-VMRemoteFXPhysicalVideoAdapter\ \{</field>
    </rule>
    <rule id="900826" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Remote PowerShell Session (PS Classic)</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)HostName=ServerRemoteHost</field>
        <field name="full_log" negate="no" type="pcre2">(?i)wsmprovhost\.exe</field>
    </rule>
    <rule id="900827" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Renamed Powershell Under Powershell Channel</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)HostName=ConsoleHost</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/System32/WindowsPowerShell/v1\.0/powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1\.0/powershell</field>
    </rule>
    <rule id="900828" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1049</id>
        </mitre>
        <description>Use Get-NetTCPConnection</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Get\-NetTCPConnection</field>
    </rule>
    <rule id="900829" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Zip A Folder With PowerShell For Staging In Temp - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,powershell-classic,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP|Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+|Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900830" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper Windows Defender - PSClassic</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_provider_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Set\-MpPreference</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-dbaf\ \$true|\-dbaf\ 1|\-dbm\ \$true|\-dbm\ 1|\-dips\ \$true|\-dips\ 1|\-DisableArchiveScanning\ \$true|\-DisableArchiveScanning\ 1|\-DisableBehaviorMonitoring\ \$true|\-DisableBehaviorMonitoring\ 1|\-DisableBlockAtFirstSeen\ \$true|\-DisableBlockAtFirstSeen\ 1|\-DisableCatchupFullScan\ \$true|\-DisableCatchupFullScan\ 1|\-DisableCatchupQuickScan\ \$true|\-DisableCatchupQuickScan\ 1|\-DisableIntrusionPreventionSystem\ \$true|\-DisableIntrusionPreventionSystem\ 1|\-DisableIOAVProtection\ \$true|\-DisableIOAVProtection\ 1|\-DisableRealtimeMonitoring\ \$true|\-DisableRealtimeMonitoring\ 1|\-DisableRemovableDriveScanning\ \$true|\-DisableRemovableDriveScanning\ 1|\-DisableScanningMappedNetworkDrivesForFullScan\ \$true|\-DisableScanningMappedNetworkDrivesForFullScan\ 1|\-DisableScanningNetworkFiles\ \$true|\-DisableScanningNetworkFiles\ 1|\-DisableScriptScanning\ \$true|\-DisableScriptScanning\ 1|\-MAPSReporting\ \$false|\-MAPSReporting\ 0|\-drdsc\ \$true|\-drdsc\ 1|\-drtm\ \$true|\-drtm\ 1|\-dscrptsc\ \$true|\-dscrptsc\ 1|\-dsmndf\ \$true|\-dsmndf\ 1|\-dsnf\ \$true|\-dsnf\ 1|\-dss\ \$true|\-dss\ 1</field>
    </rule>
    <rule id="900831" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper Windows Defender - PSClassic</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_provider_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Set\-MpPreference</field>
        <field name="full_log" negate="no" type="pcre2">(?i)HighThreatDefaultAction\ Allow|htdefac\ Allow|LowThreatDefaultAction\ Allow|ltdefac\ Allow|ModerateThreatDefaultAction\ Allow|mtdefac\ Allow|SevereThreatDefaultAction\ Allow|stdefac\ Allow</field>
    </rule>
    <rule id="900832" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious Non PowerShell WSMAN COM Provider</description>
        <options>no_full_log</options>
        <group>windows,powershell-classic,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)ProviderName=WSMan</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/System32/WindowsPowerShell/v1\.0/powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1\.0/powershell</field>
    </rule>
    <rule id="900833" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious XOR Encoded PowerShell Command Line - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)HostName=ConsoleHost</field>
        <field name="full_log" negate="no" type="pcre2">(?i)bxor|char|join</field>
    </rule>
    <rule id="900834" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Alternate PowerShell Hosts - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i).+</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:/Windows/System32/WindowsPowerShell/v1\.0/powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:/Windows/SysWOW64/WindowsPowerShell/v1\.0/powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:\\+WINDOWS\\+System32\\+sdiagnhost\.exe\ \-Embedding</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)ConfigSyncRun\.exe</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+dsac\.exe</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+wsmprovhost\.exe\ \-Embedding</field>
        <field name="win.eventdata.payload" negate="yes" type="pcre2">(?i)Update\-Help</field>
        <field name="win.eventdata.payload" negate="yes" type="pcre2">(?i)Failed\ to\ update\ Help\ for\ the\ module</field>
    </rule>
    <rule id="900835" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Bad Opsec Powershell Code Artifacts</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$DoIt|harmj0y|mattifestation|_RastaMouse|tifkin_|0xdeadbeef</field>
    </rule>
    <rule id="900836" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)вЂ“HistorySaveStyle</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900837" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\-HistorySaveStyle</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900838" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
        </mitre>
        <description>PowerShell Decompress Commands</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Expand\-Archive</field>
    </rule>
    <rule id="900839" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Add\-ConstrainedDelegationBackdoor\.ps1|Add\-Exfiltration\.ps1|Add\-Persistence\.ps1|Add\-RegBackdoor\.ps1|Add\-RemoteRegBackdoor\.ps1|Add\-ScrnSaveBackdoor\.ps1|Check\-VM\.ps1|ConvertTo\-ROT13\.ps1|Copy\-VSS\.ps1|Create\-MultipleSessions\.ps1|DNS_TXT_Pwnage\.ps1|dnscat2\.ps1|Do\-Exfiltration\.ps1|DomainPasswordSpray\.ps1|Download_Execute\.ps1|Download\-Execute\-PS\.ps1|Enabled\-DuplicateToken\.ps1|Enable\-DuplicateToken\.ps1|Execute\-Command\-MSSQL\.ps1|Execute\-DNSTXT\-Code\.ps1|Execute\-OnTime\.ps1|ExetoText\.ps1|Exploit\-Jboss\.ps1|Find\-AVSignature\.ps1|Find\-Fruit\.ps1|Find\-GPOLocation\.ps1|Find\-TrustedDocuments\.ps1|FireBuster\.ps1|FireListener\.ps1|Get\-ApplicationHost\.ps1|Get\-ChromeDump\.ps1|Get\-ClipboardContents\.ps1|Get\-ComputerDetail\.ps1|Get\-FoxDump\.ps1|Get\-GPPAutologon\.ps1|Get\-GPPPassword\.ps1|Get\-IndexedItem\.ps1|Get\-Keystrokes\.ps1|Get\-LSASecret\.ps1|Get\-MicrophoneAudio\.ps1|Get\-PassHashes\.ps1|Get\-PassHints\.ps1|Get\-RegAlwaysInstallElevated\.ps1|Get\-RegAutoLogon\.ps1|Get\-RickAstley\.ps1|Get\-Screenshot\.ps1|Get\-SecurityPackages\.ps1|Get\-ServiceFilePermission\.ps1|Get\-ServicePermission\.ps1|Get\-ServiceUnquoted\.ps1|Get\-SiteListPassword\.ps1|Get\-System\.ps1|Get\-TimedScreenshot\.ps1|Get\-UnattendedInstallFile\.ps1|Get\-Unconstrained\.ps1|Get\-USBKeystrokes\.ps1|Get\-VaultCredential\.ps1|Get\-VulnAutoRun\.ps1|Get\-VulnSchTask\.ps1|Get\-WebConfig\.ps1|Get\-WebCredentials\.ps1|Get\-WLAN\-Keys\.ps1|Gupt\-Backdoor\.ps1|HTTP\-Backdoor\.ps1|HTTP\-Login\.ps1|Install\-ServiceBinary\.ps1|Install\-SSP\.ps1|Invoke\-ACLScanner\.ps1|Invoke\-ADSBackdoor\.ps1|Invoke\-AmsiBypass\.ps1|Invoke\-ARPScan\.ps1|Invoke\-BackdoorLNK\.ps1|Invoke\-BadPotato\.ps1|Invoke\-BetterSafetyKatz\.ps1|Invoke\-BruteForce\.ps1|Invoke\-BypassUAC\.ps1|Invoke\-Carbuncle\.ps1|Invoke\-Certify\.ps1|Invoke\-ConPtyShell\.ps1|Invoke\-CredentialInjection\.ps1|Invoke\-CredentialsPhish\.ps1|Invoke\-DAFT\.ps1|Invoke\-DCSync\.ps1|Invoke\-Decode\.ps1|Invoke\-DinvokeKatz\.ps1|Invoke\-DllInjection\.ps1|Invoke\-DowngradeAccount\.ps1|Invoke\-EgressCheck\.ps1|Invoke\-Encode\.ps1|Invoke\-EventViewer\.ps1|Invoke\-Eyewitness\.ps1|Invoke\-FakeLogonScreen\.ps1|Invoke\-Farmer\.ps1|Invoke\-Get\-RBCD\-Threaded\.ps1|Invoke\-Gopher\.ps1|Invoke\-Grouper2\.ps1|Invoke\-Grouper3\.ps1|Invoke\-HandleKatz\.ps1|Invoke\-Interceptor\.ps1|Invoke\-Internalmonologue\.ps1|Invoke\-Inveigh\.ps1|Invoke\-InveighRelay\.ps1|Invoke\-JSRatRegsvr\.ps1|Invoke\-JSRatRundll\.ps1|Invoke\-KrbRelay\.ps1|Invoke\-KrbRelayUp\.ps1|Invoke\-LdapSignCheck\.ps1|Invoke\-Lockless\.ps1|Invoke\-MalSCCM\.ps1|Invoke\-Mimikatz\.ps1|Invoke\-MimikatzWDigestDowngrade\.ps1|Invoke\-Mimikittenz\.ps1|Invoke\-MITM6\.ps1|Invoke\-NanoDump\.ps1|Invoke\-NetRipper\.ps1|Invoke\-NetworkRelay\.ps1|Invoke\-NinjaCopy\.ps1|Invoke\-OxidResolver\.ps1|Invoke\-P0wnedshell\.ps1|Invoke\-P0wnedshellx86\.ps1|Invoke\-Paranoia\.ps1|Invoke\-PortScan\.ps1|Invoke\-PoshRatHttp\.ps1|Invoke\-PoshRatHttps\.ps1|Invoke\-PostExfil\.ps1|Invoke\-PowerDump\.ps1|Invoke\-PowerShellIcmp\.ps1|Invoke\-PowerShellTCP\.ps1|Invoke\-PowerShellTcpOneLine\.ps1|Invoke\-PowerShellTcpOneLineBind\.ps1|Invoke\-PowerShellUdp\.ps1|Invoke\-PowerShellUdpOneLine\.ps1|Invoke\-PowerShellWMI\.ps1|Invoke\-PowerThIEf\.ps1|Invoke\-PPLDump\.ps1|Invoke\-Prasadhak\.ps1|Invoke\-PsExec\.ps1|Invoke\-PsGcat\.ps1|Invoke\-PsGcatAgent\.ps1|Invoke\-PSInject\.ps1|Invoke\-PsUaCme\.ps1|Invoke\-ReflectivePEInjection\.ps1|Invoke\-ReverseDNSLookup\.ps1|Invoke\-Rubeus\.ps1|Invoke\-RunAs\.ps1|Invoke\-SafetyKatz\.ps1|Invoke\-SauronEye\.ps1|Invoke\-SCShell\.ps1|Invoke\-Seatbelt\.ps1|Invoke\-ServiceAbuse\.ps1|Invoke\-SessionGopher\.ps1|Invoke\-ShellCode\.ps1|Invoke\-SMBScanner\.ps1|Invoke\-Snaffler\.ps1|Invoke\-Spoolsample\.ps1|Invoke\-SSHCommand\.ps1|Invoke\-SSIDExfil\.ps1|Invoke\-StandIn\.ps1|Invoke\-StickyNotesExtract\.ps1|Invoke\-Tater\.ps1|Invoke\-Thunderfox\.ps1|Invoke\-ThunderStruck\.ps1|Invoke\-TokenManipulation\.ps1|Invoke\-Tokenvator\.ps1|Invoke\-TotalExec\.ps1|Invoke\-UrbanBishop\.ps1|Invoke\-UserHunter\.ps1|Invoke\-VoiceTroll\.ps1|Invoke\-Whisker\.ps1|Invoke\-WinEnum\.ps1|Invoke\-winPEAS\.ps1|Invoke\-WireTap\.ps1|Invoke\-WmiCommand\.ps1|Invoke\-WScriptBypassUAC\.ps1|Invoke\-Zerologon\.ps1|Keylogger\.ps1|MailRaider\.ps1|New\-HoneyHash\.ps1|OfficeMemScraper\.ps1|Offline_Winpwn\.ps1|Out\-CHM\.ps1|Out\-DnsTxt\.ps1|Out\-Excel\.ps1|Out\-HTA\.ps1|Out\-Java\.ps1|Out\-JS\.ps1|Out\-Minidump\.ps1|Out\-RundllCommand\.ps1|Out\-SCF\.ps1|Out\-SCT\.ps1|Out\-Shortcut\.ps1|Out\-WebQuery\.ps1|Out\-Word\.ps1|Parse_Keys\.ps1|Port\-Scan\.ps1|PowerBreach\.ps1|powercat\.ps1|PowerRunAsSystem\.psm1|PowerSharpPack\.ps1|PowerUp\.ps1|PowerUpSQL\.ps1|PowerView\.ps1|PSAsyncShell\.ps1|RemoteHashRetrieval\.ps1|Remove\-Persistence\.ps1|Remove\-PoshRat\.ps1|Remove\-Update\.ps1|Run\-EXEonRemote\.ps1|Schtasks\-Backdoor\.ps1|Set\-DCShadowPermissions\.ps1|Set\-MacAttribute\.ps1|Set\-RemotePSRemoting\.ps1|Set\-RemoteWMI\.ps1|Set\-Wallpaper\.ps1|Show\-TargetScreen\.ps1|Speak\.ps1|Start\-CaptureServer\.ps1|Start\-WebcamRecorder\.ps1|StringToBase64\.ps1|TexttoExe\.ps1|VolumeShadowCopyTools\.ps1|WinPwn\.ps1|WSUSpendu\.ps1</field>
    </rule>
    <rule id="900840" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Invoke\-Sharp</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\.ps1</field>
    </rule>
    <rule id="900841" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Get-ADDBAccount Usage</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Get\-ADDBAccount</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:BootKey\ )</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:DatabasePath\ )</field>
    </rule>
    <rule id="900842" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1115</id>
        </mitre>
        <description>PowerShell Get Clipboard</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Get\-Clipboard</field>
    </rule>
    <rule id="900843" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&amp;&amp;.+clipboard]::\(\s\\+"\{\d\}.+-f.+"</field>
    </rule>
    <rule id="900844" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$env:ComSpec\[(\s*\d{1,3}\s*,){2}</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).+mdr.+\W\s*\)\.Name</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$VerbosePreference\.ToString\(</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\[String\]\s*\$VerbosePreference</field>
    </rule>
    <rule id="900845" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation STDIN+ Launcher - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"</field>
    </rule>
    <rule id="900846" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\+"\s+?-f(?:.*\)){1,}.*"</field>
    </rule>
    <rule id="900847" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:readtoend)$</field>
    </rule>
    <rule id="900848" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900849" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*(set).*&amp;&amp;\s?set.*(environment|invoke|\$?\{?input).*&amp;&amp;.*"</field>
    </rule>
    <rule id="900850" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*?echo.*clip.*&amp;&amp;.*(Clipboard|i`?n`?v`?o`?k`?e`?).</field>
    </rule>
    <rule id="900851" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)$window\.close$</field>
    </rule>
    <rule id="900852" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900853" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*&amp;&amp;set.*(\{\d\}){2,}\\+"\s+?-f.*&amp;&amp;.*cmd.*/c</field>
    </rule>
    <rule id="900854" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
            <id>attack.t1087</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.t1069</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Commandlets - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Add\-Exfiltration|Add\-Persistence|Add\-RegBackdoor|Add\-RemoteRegBackdoor|Add\-ScrnSaveBackdoor|Check\-VM|ConvertTo\-Rc4ByteStream|Decrypt\-Hash|Disable\-ADIDNSNode|Disable\-MachineAccount|Do\-Exfiltration|Enable\-ADIDNSNode|Enable\-MachineAccount|Enabled\-DuplicateToken|Exploit\-Jboss|Export\-ADR|Export\-ADRCSV|Export\-ADRExcel|Export\-ADRHTML|Export\-ADRJSON|Export\-ADRXML|Find\-Fruit|Find\-GPOLocation|Find\-TrustedDocuments|Get\-ADIDNS|Get\-ApplicationHost|Get\-ChromeDump|Get\-ClipboardContents|Get\-FoxDump|Get\-GPPPassword|Get\-IndexedItem|Get\-KerberosAESKey|Get\-Keystrokes|Get\-LSASecret|Get\-MachineAccountAttribute|Get\-MachineAccountCreator|Get\-PassHashes|Get\-RegAlwaysInstallElevated|Get\-RegAutoLogon|Get\-RemoteBootKey|Get\-RemoteCachedCredential|Get\-RemoteLocalAccountHash|Get\-RemoteLSAKey|Get\-RemoteMachineAccountHash|Get\-RemoteNLKMKey|Get\-RickAstley|Get\-Screenshot|Get\-SecurityPackages|Get\-ServiceFilePermission|Get\-ServicePermission|Get\-ServiceUnquoted|Get\-SiteListPassword|Get\-System|Get\-TimedScreenshot|Get\-UnattendedInstallFile|Get\-Unconstrained|Get\-USBKeystrokes|Get\-VaultCredential|Get\-VulnAutoRun|Get\-VulnSchTask|Grant\-ADIDNSPermission|Gupt\-Backdoor|HTTP\-Login|Install\-ServiceBinary|Install\-SSP|Invoke\-ACLScanner|Invoke\-ADRecon|Invoke\-ADSBackdoor|Invoke\-AgentSmith|Invoke\-AllChecks|Invoke\-ARPScan|Invoke\-AzureHound|Invoke\-BackdoorLNK|Invoke\-BadPotato|Invoke\-BetterSafetyKatz|Invoke\-BypassUAC|Invoke\-Carbuncle|Invoke\-Certify|Invoke\-ConPtyShell|Invoke\-CredentialInjection|Invoke\-DAFT|Invoke\-DCSync|Invoke\-DinvokeKatz|Invoke\-DllInjection|Invoke\-DNSUpdate|Invoke\-DomainPasswordSpray|Invoke\-DowngradeAccount|Invoke\-EgressCheck|Invoke\-Eyewitness|Invoke\-FakeLogonScreen|Invoke\-Farmer|Invoke\-Get\-RBCD\-Threaded|Invoke\-Gopher|Invoke\-Grouper|Invoke\-HandleKatz|Invoke\-ImpersonatedProcess|Invoke\-ImpersonateSystem|Invoke\-InteractiveSystemPowerShell|Invoke\-Internalmonologue|Invoke\-Inveigh|Invoke\-InveighRelay|Invoke\-KrbRelay|Invoke\-LdapSignCheck|Invoke\-Lockless|Invoke\-MalSCCM|Invoke\-Mimikatz|Invoke\-Mimikittenz|Invoke\-MITM6|Invoke\-NanoDump|Invoke\-NetRipper|Invoke\-Nightmare|Invoke\-NinjaCopy|Invoke\-OfficeScrape|Invoke\-OxidResolver|Invoke\-P0wnedshell|Invoke\-Paranoia|Invoke\-PortScan|Invoke\-PoshRatHttp|Invoke\-PostExfil|Invoke\-PowerDump|Invoke\-PowerShellTCP|Invoke\-PowerShellWMI|Invoke\-PPLDump|Invoke\-PsExec|Invoke\-PSInject|Invoke\-PsUaCme|Invoke\-ReflectivePEInjection|Invoke\-ReverseDNSLookup|Invoke\-Rubeus|Invoke\-RunAs|Invoke\-SafetyKatz|Invoke\-SauronEye|Invoke\-SCShell|Invoke\-Seatbelt|Invoke\-ServiceAbuse|Invoke\-ShadowSpray|Invoke\-Sharp|Invoke\-Shellcode|Invoke\-SMBScanner|Invoke\-Snaffler|Invoke\-Spoolsample|Invoke\-SpraySinglePassword|Invoke\-SSHCommand|Invoke\-StandIn|Invoke\-StickyNotesExtract|Invoke\-SystemCommand|Invoke\-Tasksbackdoor|Invoke\-Tater|Invoke\-Thunderfox|Invoke\-ThunderStruck|Invoke\-TokenManipulation|Invoke\-Tokenvator|Invoke\-TotalExec|Invoke\-UrbanBishop|Invoke\-UserHunter|Invoke\-VoiceTroll|Invoke\-Whisker|Invoke\-WinEnum|Invoke\-winPEAS|Invoke\-WireTap|Invoke\-WmiCommand|Invoke\-WMIExec|Invoke\-WScriptBypassUAC|Invoke\-Zerologon|MailRaider|New\-ADIDNSNode|New\-DNSRecordArray|New\-HoneyHash|New\-InMemoryModule|New\-MachineAccount|New\-SOASerialNumberArray|Out\-Minidump|Port\-Scan|PowerBreach|powercat\ |PowerUp|PowerView|Remove\-ADIDNSNode|Remove\-MachineAccount|Remove\-Update|Rename\-ADIDNSNode|Revoke\-ADIDNSPermission|Set\-ADIDNSNode|Set\-MacAttribute|Set\-MachineAccountAttribute|Set\-Wallpaper|Show\-TargetScreen|Start\-CaptureServer|Start\-Dnscat2|Start\-WebcamRecorder|VolumeShadowCopyTools</field>
    </rule>
    <rule id="900855" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)ModuleContents=function\ Get\-VMRemoteFXPhysicalVideoAdapter\ \{</field>
    </rule>
    <rule id="900856" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Remote PowerShell Session (PS Module)</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ =\ ServerRemoteHost\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)wsmprovhost\.exe</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)\\+Windows\\+system32\\+WindowsPowerShell\\+v1\.0\\+Modules\\+Microsoft\.PowerShell\.Archive\\+Microsoft\.PowerShell\.Archive\.psm1</field>
    </rule>
    <rule id="900857" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-ADPrincipalGroupMembership</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-ADPrincipalGroupMembership</field>
    </rule>
    <rule id="900858" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-aduser</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:\-f\ )</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:\-pr\ )</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)DoesNotRequirePreAuth</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-aduser</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\-f\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\-pr\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)DoesNotRequirePreAuth</field>
    </rule>
    <rule id="900859" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1049</id>
        </mitre>
        <description>Use Get-NetTCPConnection - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Get\-NetTCPConnection</field>
    </rule>
    <rule id="900860" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\[Convert\]::FromBase64String</field>
    </rule>
    <rule id="900861" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-noni</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)New\-Object</field>
    </rule>
    <rule id="900862" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-ep</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-Enc</field>
    </rule>
    <rule id="900863" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)add</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)HKCU\\+software\\+microsoft\\+windows\\+currentversion\\+run</field>
    </rule>
    <rule id="900864" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-noprofile</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-windowstyle</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)system\.net\.webclient</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\.download</field>
    </rule>
    <rule id="900865" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Net\.WebClient</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\.Download</field>
    </rule>
    <rule id="900866" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString\('https://community\.chocolatey\.org/install\.ps1</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)Write\-ChocolateyWarning</field>
    </rule>
    <rule id="900867" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-localgroup|Get\-LocalGroupMember</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-localgroup|Get\-LocalGroupMember</field>
    </rule>
    <rule id="900868" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Get\-WMIObject</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Win32_Group</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Get\-WMIObject</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Win32_Group</field>
    </rule>
    <rule id="900869" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Suspicious Computer Machine Password by PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Reset\-ComputerMachinePassword</field>
    </rule>
    <rule id="900870" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Information for SMB Share - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-smbshare</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-smbshare</field>
    </rule>
    <rule id="900871" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Zip A Folder With PowerShell For Staging In Temp  - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900872" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>SyncAppvPublishingServer Bypass Powershell Restriction - PS Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)SyncAppvPublishingServer\.exe</field>
    </rule>
    <rule id="900873" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.reconnaissance</id>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.impact</id>
        </mitre>
        <description>AADInternals PowerShell Cmdlets Execution - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-AADInt|ConvertTo\-AADInt|Disable\-AADInt|Enable\-AADInt|Export\-AADInt|Get\-AADInt|Grant\-AADInt|Install\-AADInt|Invoke\-AADInt|Join\-AADInt|New\-AADInt|Open\-AADInt|Read\-AADInt|Register\-AADInt|Remove\-AADInt|Restore\-AADInt|Search\-AADInt|Send\-AADInt|Set\-AADInt|Start\-AADInt|Update\-AADInt</field>
    </rule>
    <rule id="900874" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.discovery</id>
            <id>attack.impact</id>
        </mitre>
        <description>Potential Active Directory Enumeration Using AD Module - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Import\-Module\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Microsoft\.ActiveDirectory\.Management\.dll</field>
    </rule>
    <rule id="900875" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.discovery</id>
            <id>attack.impact</id>
        </mitre>
        <description>Potential Active Directory Enumeration Using AD Module - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ipmo\ Microsoft\.ActiveDirectory\.Management\.dll</field>
    </rule>
    <rule id="900876" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1565</id>
        </mitre>
        <description>Powershell Add Name Resolution Policy Table Rule</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-DnsClientNrptRule</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Namesp</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-NameSe</field>
    </rule>
    <rule id="900877" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell ADRecon Execution</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Function\ Get\-ADRExcelComOb|Get\-ADRGPO|Get\-ADRDomainController|ADRecon\-Report\.xlsx</field>
    </rule>
    <rule id="900878" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.execution</id>
        </mitre>
        <description>AMSI Bypass Pattern Assembly GetType</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Ref\]\.Assembly\.GetType</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SetValue$\$null,\$true$</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)NonPublic,Static</field>
    </rule>
    <rule id="900879" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Script Using NULL Bits</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)if$0$\{\{\{0\}\}\}'\ \-f\ \$$0\ \-as\ \[char\]$\ \+|\#&lt;NULL&gt;</field>
    </rule>
    <rule id="900880" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
            <id>attack.t1572</id>
            <id>attack.impact</id>
            <id>attack.t1529</id>
            <id>attack.g0091</id>
            <id>attack.s0363</id>
        </mitre>
        <description>Silence.EDA Detection</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Diagnostics\.Process</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Stop\-Computer</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Restart\-Computer</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Exception\ in\ execution</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$cmdargs</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Close\-Dnscat2Tunnel</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)set\ type=\$LookupType`nserver</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$Command\ \|\ nslookup\ 2&gt;\&amp;1\ \|\ Out\-String</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-RandomDNSField</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Convert\]::ToString$\$SYNOptions,\ 16$</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$Session\.Dead\ =\ \$True</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$Session\["Driver"\]\ \-eq</field>
    </rule>
    <rule id="900881" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>Get-ADUser Enumeration Using UserAccountControl Flags</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ADUser</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Filter</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)useraccountcontrol</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-band</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)4194304</field>
    </rule>
    <rule id="900882" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Potential Data Exfiltration Via Audio File</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Math\]::</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[IO\.FileMode\]::</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)BinaryWriter</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x52</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x49</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x46</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x57</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x41</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x56</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x45</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0xAC</field>
    </rule>
    <rule id="900883" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1113</id>
        </mitre>
        <description>Windows Screen Capture with CopyFromScreen</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.CopyFromScreen</field>
    </rule>
    <rule id="900884" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clearing Windows Console History</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Clear\-History</field>
    </rule>
    <rule id="900885" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clearing Windows Console History</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-Item|rm</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ConsoleHost_history\.txt|$Get\-PSReadlineOption$\.HistorySavePath</field>
    </rule>
    <rule id="900886" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)вЂ“HistorySaveStyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900887" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-HistorySaveStyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900888" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Powershell Create Scheduled Task</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-ScheduledTaskAction|New\-ScheduledTaskTrigger|New\-ScheduledTaskPrincipal|New\-ScheduledTaskSettingsSet|New\-ScheduledTask|Register\-ScheduledTask</field>
    </rule>
    <rule id="900889" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Powershell Create Scheduled Task</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-CimMethod</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-ClassName</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PS_ScheduledTask</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-NameSpace</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Root\\+Microsoft\\+Windows\\+TaskScheduler</field>
    </rule>
    <rule id="900890" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-ADComputer\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Filter\ \\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \|\ Select\ |Out\-File|Set\-Content|Add\-Content</field>
    </rule>
    <rule id="900891" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1556.002</id>
        </mitre>
        <description>Powershell Install a DLL in System Directory</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\+Windows\\+(System32|SysWOW64)</field>
    </rule>
    <rule id="900892" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1574.012</id>
        </mitre>
        <description>Registry-Free Process Scope COR_PROFILER</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:COR_ENABLE_PROFILING</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:COR_PROFILER</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:COR_PROFILER_PATH</field>
    </rule>
    <rule id="900893" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>PowerShell Create Local User</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-LocalUser</field>
    </rule>
    <rule id="900894" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Create Volume Shadow Copy with Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)win32_shadowcopy</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\)\.Create\(</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ClientAccessible</field>
    </rule>
    <rule id="900895" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
        </mitre>
        <description>DirectorySearcher Powershell Exploitation</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:New\-Object\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.DirectoryServices\.DirectorySearcher</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.PropertiesToLoad\.Add</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.findall</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Properties\.name</field>
    </rule>
    <rule id="900896" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.002</id>
        </mitre>
        <description>Manipulation of User Computer or Group Security Principals Across AD</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.DirectoryServices\.AccountManagement</field>
    </rule>
    <rule id="900897" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Disable Powershell Command History</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-Module</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)psreadline</field>
    </rule>
    <rule id="900898" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1620</id>
        </mitre>
        <description>Potential In-Memory Execution Using Reflection.Assembly</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Reflection\.Assembly\]::load</field>
    </rule>
    <rule id="900899" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>Dump Credentials from Windows Credential Manager With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-PasswordVaultCredentials|Get\-CredManCreds</field>
    </rule>
    <rule id="900900" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>Dump Credentials from Windows Credential Manager With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Windows\.Security\.Credentials\.PasswordVault</field>
    </rule>
    <rule id="900901" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>Dump Credentials from Windows Credential Manager With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Microsoft\.CSharp\.CSharpCodeProvider</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Runtime\.InteropServices\.RuntimeEnvironment\]::GetRuntimeDirectory\)</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Collections\.ArrayList</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.CodeDom\.Compiler\.CompilerParameters</field>
    </rule>
    <rule id="900902" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Enable Windows Remote Management</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Enable\-PSRemoting\ )</field>
    </rule>
    <rule id="900903" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Remove\-EtwTraceProvider\ )</field>
    </rule>
    <rule id="900904" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-EtwTraceProvider\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x11</field>
    </rule>
    <rule id="900905" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Suspicious PowerShell Mailbox SMTP Forward Rule</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Mailbox\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-DeliverToMailboxAndForward\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-ForwardingSmtpAddress\ )</field>
    </rule>
    <rule id="900906" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Certificate Exported Via PowerShell - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Export\-PfxCertificate|Export\-Certificate</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)CmdletsToExport\ =\ @\(</field>
    </rule>
    <rule id="900907" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>Suspicious FromBase64String Usage On Gzip Archive - Ps Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)FromBase64String</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)MemoryStream</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)H4sI</field>
    </rule>
    <rule id="900908" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1574.011</id>
            <id>stp.2a</id>
        </mitre>
        <description>Service Registry Permissions Weakness Check</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-acl</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)REGISTRY::HKLM\\+SYSTEM\\+CurrentControlSet\\+Services\\+</field>
    </rule>
    <rule id="900909" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Active Directory Group Enumeration With Get-AdGroup</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-AdGroup\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Filter</field>
    </rule>
    <rule id="900910" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Suspicious Get-ADReplAccount</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ADReplAccount</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-All\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Server\ )</field>
    </rule>
    <rule id="900911" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1217</id>
        </mitre>
        <description>Automated Collection Bookmarks Using Get-ChildItem PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ChildItem</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-Recurse\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-Path\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Filter\ Bookmarks</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-ErrorAction\ SilentlyContinue</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Force</field>
    </rule>
    <rule id="900912" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - Rubeus Execution - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)asreproast\ |dump\ /service:krbtgt\ |dump\ /luid:0x|kerberoast\ |createnetonly\ /program:|ptt\ /ticket:|/impersonateuser:|renew\ /ticket:|asktgt\ /user:|harvest\ /interval:|s4u\ /user:|s4u\ /ticket:|hash\ /password:|golden\ /aes256:|silver\ /user:</field>
    </rule>
    <rule id="900913" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1046</id>
            <id>attack.t1082</id>
            <id>attack.t1106</id>
            <id>attack.t1518</id>
            <id>attack.t1548.002</id>
            <id>attack.t1552.001</id>
            <id>attack.t1555</id>
            <id>attack.t1555.003</id>
        </mitre>
        <description>HackTool - WinPwn Execution - ScriptBlock</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Offline_Winpwn|WinPwn\ |WinPwn\.exe|WinPwn\.ps1</field>
    </rule>
    <rule id="900914" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>PowerShell Hotfix Enumeration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_QuickFixEngineering</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)HotFixID</field>
    </rule>
    <rule id="900915" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>PowerShell ICMP Exfiltration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.NetworkInformation\.Ping</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.Send\(</field>
    </rule>
    <rule id="900916" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Import PowerShell Modules From Suspicious Directories</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Import\-Module\ "\$Env:Temp\\+|Import\-Module\ '\$Env:Temp\\+|Import\-Module\ \$Env:Temp\\+|Import\-Module\ "\$Env:Appdata\\+|Import\-Module\ '\$Env:Appdata\\+|Import\-Module\ \$Env:Appdata\\+|Import\-Module\ C:\\+Users\\+Public\\+|ipmo\ "\$Env:Temp\\+|ipmo\ '\$Env:Temp\\+|ipmo\ \$Env:Temp\\+|ipmo\ "\$Env:Appdata\\+|ipmo\ '\$Env:Appdata\\+|ipmo\ \$Env:Appdata\\+|ipmo\ C:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="900917" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Execute Invoke-command on Remote Host</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:invoke\-command\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-ComputerName\ )</field>
    </rule>
    <rule id="900918" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Powershell DNSExfiltration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-DNSExfiltrator</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-i\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-d\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-doh\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-t\ )</field>
    </rule>
    <rule id="900919" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&amp;&amp;.+clipboard]::\(\s\\+"\{\d\}.+-f.+"</field>
    </rule>
    <rule id="900920" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:ComSpec\[(\s*\d{1,3}\s*,){2}</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).+mdr.+\W\s*\)\.Name</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$VerbosePreference\.ToString\(</field>
    </rule>
    <rule id="900921" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation STDIN+ Launcher - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"</field>
    </rule>
    <rule id="900922" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\+"\s+?-f(?:.*\)){1,}.*"</field>
    </rule>
    <rule id="900923" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:readtoend)$</field>
    </rule>
    <rule id="900924" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900925" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*(set).*&amp;&amp;\s?set.*(environment|invoke|\$\{?input).*&amp;&amp;.*"</field>
    </rule>
    <rule id="900926" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*?echo.*clip.*&amp;&amp;.*(Clipboard|i`?n`?v`?o`?k`?e`?).</field>
    </rule>
    <rule id="900927" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)$window\.close$</field>
    </rule>
    <rule id="900928" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900929" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*&amp;&amp;set.*(\{\d\}){2,}\\+"\s+?-f.*&amp;&amp;.*cmd.*/c</field>
    </rule>
    <rule id="900930" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1056.001</id>
        </mitre>
        <description>Powershell Keylogging</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Keystrokes</field>
    </rule>
    <rule id="900931" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1056.001</id>
        </mitre>
        <description>Powershell Keylogging</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ProcAddress\ user32\.dll\ GetAsyncKeyState</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ProcAddress\ user32\.dll\ GetForegroundWindow</field>
    </rule>
    <rule id="900932" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>Powershell LocalAccount Manipulation</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Disable\-LocalUser|Enable\-LocalUser|Get\-LocalUser|Set\-LocalUser|New\-LocalUser|Rename\-LocalUser|Remove\-LocalUser</field>
    </rule>
    <rule id="900933" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Suspicious PowerShell Mailbox Export to Share - PS</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-MailboxExportRequest</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-Mailbox\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-FilePath\ \\+</field>
    </rule>
    <rule id="900934" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
            <id>attack.t1087</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.t1069</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Commandlets - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-Exfiltration|Add\-Persistence|Add\-RegBackdoor|Add\-RemoteRegBackdoor|Add\-ScrnSaveBackdoor|ConvertTo\-Rc4ByteStream|Decrypt\-Hash|Disable\-ADIDNSNode|Do\-Exfiltration|Enable\-ADIDNSNode|Enabled\-DuplicateToken|Exploit\-Jboss|Export\-ADRCSV|Export\-ADRExcel|Export\-ADRHTML|Export\-ADRJSON|Export\-ADRXML|Find\-Fruit|Find\-GPOLocation|Find\-TrustedDocuments|Get\-ADIDNSNodeAttribute|Get\-ADIDNSNodeOwner|Get\-ADIDNSNodeTombstoned|Get\-ADIDNSPermission|Get\-ADIDNSZone|Get\-ChromeDump|Get\-ClipboardContents|Get\-FoxDump|Get\-GPPPassword|Get\-IndexedItem|Get\-KerberosAESKey|Get\-Keystrokes|Get\-LSASecret|Get\-PassHashes|Get\-RegAlwaysInstallElevated|Get\-RegAutoLogon|Get\-RemoteBootKey|Get\-RemoteCachedCredential|Get\-RemoteLocalAccountHash|Get\-RemoteLSAKey|Get\-RemoteMachineAccountHash|Get\-RemoteNLKMKey|Get\-RickAstley|Get\-SecurityPackages|Get\-ServiceFilePermission|Get\-ServicePermission|Get\-ServiceUnquoted|Get\-SiteListPassword|Get\-System|Get\-TimedScreenshot|Get\-UnattendedInstallFile|Get\-Unconstrained|Get\-USBKeystrokes|Get\-VaultCredential|Get\-VulnAutoRun|Get\-VulnSchTask|Grant\-ADIDNSPermission|Gupt\-Backdoor|Invoke\-ACLScanner|Invoke\-ADRecon|Invoke\-ADSBackdoor|Invoke\-AgentSmith|Invoke\-AllChecks|Invoke\-ARPScan|Invoke\-AzureHound|Invoke\-BackdoorLNK|Invoke\-BadPotato|Invoke\-BetterSafetyKatz|Invoke\-BypassUAC|Invoke\-Carbuncle|Invoke\-Certify|Invoke\-ConPtyShell|Invoke\-CredentialInjection|Invoke\-DAFT|Invoke\-DCSync|Invoke\-DinvokeKatz|Invoke\-DllInjection|Invoke\-DNSUpdate|Invoke\-DomainPasswordSpray|Invoke\-DowngradeAccount|Invoke\-EgressCheck|Invoke\-Eyewitness|Invoke\-FakeLogonScreen|Invoke\-Farmer|Invoke\-Get\-RBCD\-Threaded|Invoke\-Gopher|Invoke\-Grouper|Invoke\-HandleKatz|Invoke\-ImpersonatedProcess|Invoke\-ImpersonateSystem|Invoke\-InteractiveSystemPowerShell|Invoke\-Internalmonologue|Invoke\-Inveigh|Invoke\-InveighRelay|Invoke\-KrbRelay|Invoke\-LdapSignCheck|Invoke\-Lockless|Invoke\-MalSCCM|Invoke\-Mimikatz|Invoke\-Mimikittenz|Invoke\-MITM6|Invoke\-NanoDump|Invoke\-NetRipper|Invoke\-Nightmare|Invoke\-NinjaCopy|Invoke\-OfficeScrape|Invoke\-OxidResolver|Invoke\-P0wnedshell|Invoke\-Paranoia|Invoke\-PortScan|Invoke\-PoshRatHttp|Invoke\-PostExfil|Invoke\-PowerDump|Invoke\-PowerShellTCP|Invoke\-PowerShellWMI|Invoke\-PPLDump|Invoke\-PsExec|Invoke\-PSInject|Invoke\-PsUaCme|Invoke\-ReflectivePEInjection|Invoke\-ReverseDNSLookup|Invoke\-Rubeus|Invoke\-RunAs|Invoke\-SafetyKatz|Invoke\-SauronEye|Invoke\-SCShell|Invoke\-Seatbelt|Invoke\-ServiceAbuse|Invoke\-ShadowSpray|Invoke\-Sharp|Invoke\-Shellcode|Invoke\-SMBScanner|Invoke\-Snaffler|Invoke\-Spoolsample|Invoke\-SpraySinglePassword|Invoke\-SSHCommand|Invoke\-StandIn|Invoke\-StickyNotesExtract|Invoke\-SystemCommand|Invoke\-Tasksbackdoor|Invoke\-Tater|Invoke\-Thunderfox|Invoke\-ThunderStruck|Invoke\-TokenManipulation|Invoke\-Tokenvator|Invoke\-TotalExec|Invoke\-UrbanBishop|Invoke\-UserHunter|Invoke\-VoiceTroll|Invoke\-Whisker|Invoke\-WinEnum|Invoke\-winPEAS|Invoke\-WireTap|Invoke\-WmiCommand|Invoke\-WMIExec|Invoke\-WScriptBypassUAC|Invoke\-Zerologon|MailRaider|New\-ADIDNSNode|New\-HoneyHash|New\-InMemoryModule|New\-SOASerialNumberArray|Out\-Minidump|PowerBreach|powercat\ |PowerUp|PowerView|Remove\-ADIDNSNode|Remove\-Update|Rename\-ADIDNSNode|Revoke\-ADIDNSPermission|Set\-ADIDNSNode|Show\-TargetScreen|Start\-CaptureServer|Start\-Dnscat2|Start\-WebcamRecorder|VolumeShadowCopyTools</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)Get\-SystemDriveInfo</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Amazon\\+EC2\-Windows\\+Launch\\+Module\\+</field>
    </rule>
    <rule id="900935" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Keywords</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)AdjustTokenPrivileges|IMAGE_NT_OPTIONAL_HDR64_MAGIC|Metasploit|Microsoft\.Win32\.UnsafeNativeMethods|Mimikatz|MiniDumpWriteDump|PAGE_EXECUTE_READ|ReadProcessMemory\.Invoke|SE_PRIVILEGE_ENABLED|SECURITY_DELEGATION|TOKEN_ADJUST_PRIVILEGES|TOKEN_ALL_ACCESS|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_ELEVATION|TOKEN_IMPERSONATE|TOKEN_INFORMATION_CLASS|TOKEN_PRIVILEGES|TOKEN_QUERY</field>
    </rule>
    <rule id="900936" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
        </mitre>
        <description>Live Memory Dump Using Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-StorageDiagnosticInfo</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-IncludeLiveDump</field>
    </rule>
    <rule id="900937" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Powershell MsXml COM Object</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-ComObject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)MsXml2\.</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)XmlHttp</field>
    </rule>
    <rule id="900938" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious Nishang PowerShell Commandlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-ConstrainedDelegationBackdoor|Copy\-VSS|Create\-MultipleSessions|DataToEncode|DNS_TXT_Pwnage|Do\-Exfiltration\-Dns|Download_Execute|Download\-Execute\-PS|DownloadAndExtractFromRemoteRegistry|DumpCerts|DumpCreds|DumpHashes|Enable\-DuplicateToken|Enable\-Duplication|Execute\-Command\-MSSQL|Execute\-DNSTXT\-Code|Execute\-OnTime|ExetoText|exfill|ExfilOption|FakeDC|FireBuster|FireListener|Get\-Information\ |Get\-PassHints|Get\-Web\-Credentials|Get\-WebCredentials|Get\-WLAN\-Keys|HTTP\-Backdoor|Invoke\-AmsiBypass|Invoke\-BruteForce|Invoke\-CredentialsPhish|Invoke\-Decode|Invoke\-Encode|Invoke\-Interceptor|Invoke\-JSRatRegsvr|Invoke\-JSRatRundll|Invoke\-MimikatzWDigestDowngrade|Invoke\-NetworkRelay|Invoke\-PowerShellIcmp|Invoke\-PowerShellUdp|Invoke\-Prasadhak|Invoke\-PSGcat|Invoke\-PsGcatAgent|Invoke\-SessionGopher|Invoke\-SSIDExfil|LoggedKeys|Nishang|NotAllNameSpaces|Out\-CHM|OUT\-DNSTXT|Out\-HTA|Out\-RundllCommand|Out\-SCF|Out\-SCT|Out\-Shortcut|Out\-WebQuery|Out\-Word|Parse_Keys|Password\-List|Powerpreter|Remove\-Persistence|Remove\-PoshRat|Remove\-Update|Run\-EXEonRemote|Set\-DCShadowPermissions|Set\-RemotePSRemoting|Set\-RemoteWMI|Shellcode32|Shellcode64|StringtoBase64|TexttoExe</field>
    </rule>
    <rule id="900939" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Code Executed Via Office Add-in XLL File</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:new\-object\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ComObject\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.application</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.RegisterXLL</field>
    </rule>
    <rule id="900940" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Invoke-Mimikatz PowerShell Script</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DumpCreds</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DumpCerts</field>
    </rule>
    <rule id="900941" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Invoke-Mimikatz PowerShell Script</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)sekurlsa::logonpasswords</field>
    </rule>
    <rule id="900942" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Invoke-Mimikatz PowerShell Script</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)crypto::certificates</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)CERT_SYSTEM_STORE_LOCAL_MACHINE</field>
    </rule>
    <rule id="900943" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerView PowerShell Cmdlets - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Export\-PowerViewCSV|Find\-DomainLocalGroupMember|Find\-DomainObjectPropertyOutlier|Find\-DomainProcess|Find\-DomainShare|Find\-DomainUserEvent|Find\-DomainUserLocation|Find\-ForeignGroup|Find\-ForeignUser|Find\-GPOComputerAdmin|Find\-GPOLocation|Find\-InterestingDomain|Find\-InterestingFile|Find\-LocalAdminAccess|Find\-ManagedSecurityGroups|Get\-CachedRDPConnection|Get\-DFSshare|Get\-DomainDFSShare|Get\-DomainDNSRecord|Get\-DomainDNSZone|Get\-DomainFileServer|Get\-DomainGPOComputerLocalGroupMapping|Get\-DomainGPOLocalGroup|Get\-DomainGPOUserLocalGroupMapping|Get\-LastLoggedOn|Get\-LoggedOnLocal|Get\-NetFileServer|Get\-NetForest|Get\-NetGPOGroup|Get\-NetProcess|Get\-NetRDPSession|Get\-RegistryMountedDrive|Get\-RegLoggedOn|Get\-WMIRegCachedRDPConnection|Get\-WMIRegLastLoggedOn|Get\-WMIRegMountedDrive|Get\-WMIRegProxy|Invoke\-ACLScanner|Invoke\-CheckLocalAdminAccess|Invoke\-EnumerateLocalAdmin|Invoke\-EventHunter|Invoke\-FileFinder|Invoke\-Kerberoast|Invoke\-MapDomainTrust|Invoke\-ProcessHunter|Invoke\-RevertToSelf|Invoke\-ShareFinder|Invoke\-UserHunter|Invoke\-UserImpersonation|Remove\-RemoteConnection|Request\-SPNTicket|Resolve\-IPAddress</field>
    </rule>
    <rule id="900944" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Credential Prompt</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PromptForCredential</field>
    </rule>
    <rule id="900945" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PSAsyncShell - Asynchronous TCP Reverse Shell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PSAsyncShell</field>
    </rule>
    <rule id="900946" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell PSAttack</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PS\ ATTACK!!!</field>
    </rule>
    <rule id="900947" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)^(?:function\ Get\-VMRemoteFXPhysicalVideoAdapter\ \{)</field>
    </rule>
    <rule id="900948" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Remote Session Creation</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-PSSession</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ComputerName\ )</field>
    </rule>
    <rule id="900949" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Request A Single Ticket via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.IdentityModel\.Tokens\.KerberosRequestorSecurityToken</field>
    </rule>
    <rule id="900950" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1020</id>
        </mitre>
        <description>PowerShell Script With File Hostname Resolving Capabilities</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-content\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)foreach</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Net\.Dns\]::GetHostEntry</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Out\-File</field>
    </rule>
    <rule id="900951" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Root Certificate Installed - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Move\-Item</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Cert:\\+LocalMachine\\+Root</field>
    </rule>
    <rule id="900952" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Root Certificate Installed - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Import\-Certificate</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Cert:\\+LocalMachine\\+Root</field>
    </rule>
    <rule id="900953" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.005</id>
        </mitre>
        <description>Suspicious Invoke-Item From Mount-DiskImage</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Mount\-DiskImage\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ImagePath\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Volume</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.DriveLetter</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:invoke\-item\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\):\\+</field>
    </rule>
    <rule id="900954" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>Powershell Exfiltration Over SMTP</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Send\-MailMessage</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)CmdletsToExport</field>
    </rule>
    <rule id="900955" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1222</id>
        </mitre>
        <description>PowerShell Script Change Permission Via Set-Acl - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Acl\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-AclObject\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Path\ )</field>
    </rule>
    <rule id="900956" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Change PowerShell Policies to an Insecure Level - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-ExecutionPolicy</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Unrestricted|bypass</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://community\.chocolatey\.org/install\.ps1'$</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://chocolatey\.org/install\.ps1'$</field>
    </rule>
    <rule id="900957" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell ShellCode</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OiCAAAAYInlM|OiJAAAAYInlM</field>
    </rule>
    <rule id="900958" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious ShellIntel PowerShell Commandlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-SMBAutoBrute|Invoke\-GPOLinks|Invoke\-Potato</field>
    </rule>
    <rule id="900959" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1518</id>
        </mitre>
        <description>Detected Windows Software Discovery - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-itemProperty</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+software\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)select\-object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)format\-table</field>
    </rule>
    <rule id="900960" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Powershell Store File In Alternate Data Stream</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Start\-Process</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-FilePath\ "\$env:comspec"\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ArgumentList\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)&gt;</field>
    </rule>
    <rule id="900961" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Potential Persistence Via Security Descriptors - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)win32_Trustee</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)win32_Ace</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.AccessMask</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.AceType</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.SetSecurityDescriptor</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+Lsa\\+JD|\\+Lsa\\+Skew1|\\+Lsa\\+Data|\\+Lsa\\+GBG</field>
    </rule>
    <rule id="900962" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-ADPrincipalGroupMembership</field>
    </rule>
    <rule id="900963" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-aduser</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-f\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-pr\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DoesNotRequirePreAuth</field>
    </rule>
    <rule id="900964" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1027</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Using Character Join</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Alias</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Value\ \(\-join\(</field>
    </rule>
    <rule id="900965" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
        </mitre>
        <description>Suspicious Eventlog Clear</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Clear\-EventLog\ |Remove\-EventLog\ |Limit\-EventLog\ |Clear\-WinEvent\ )</field>
    </rule>
    <rule id="900966" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1083</id>
        </mitre>
        <description>Powershell Directory Enumeration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)foreach</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ChildItem</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Path\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ErrorAction\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SilentlyContinue</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Out\-File\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-append</field>
    </rule>
    <rule id="900967" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Download - Powershell Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.WebClient</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.DownloadFile\(|\.DownloadFileAsync\(|\.DownloadString\(|\.DownloadStringAsync\(</field>
    </rule>
    <rule id="900968" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Extracting Information with PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ls</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-R</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:select\-string\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Pattern\ )</field>
    </rule>
    <rule id="900969" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Troubleshooting Pack Cmdlet Execution</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-TroubleshootingPack</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)C:\\+Windows\\+Diagnostics\\+System\\+PCW</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-AnswerFile</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Unattended</field>
    </rule>
    <rule id="900970" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>PowerShell Get-Process LSASS in ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Process\ lsass</field>
    </rule>
    <rule id="900971" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Suspicious GetTypeFromCLSID ShellExecute</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)::GetTypeFromCLSID\(</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.ShellExecute\(</field>
    </rule>
    <rule id="900972" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1201</id>
        </mitre>
        <description>Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-AdDefaultDomainPasswordPolicy</field>
    </rule>
    <rule id="900973" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>Suspicious PowerShell Get Current User</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Environment\]::UserName|\$env:UserName|\[System\.Security\.Principal\.WindowsIdentity\]::GetCurrent</field>
    </rule>
    <rule id="900974" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1615</id>
        </mitre>
        <description>Suspicious GPO Discovery With Get-GPO</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-GPO</field>
    </rule>
    <rule id="900975" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1057</id>
        </mitre>
        <description>Suspicious Process Discovery With Get-Process</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Process</field>
    </rule>
    <rule id="900976" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.006</id>
        </mitre>
        <description>Suspicious Hyper-V Cmdlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-VM|Set\-VMFirmware|Start\-VM</field>
    </rule>
    <rule id="900977" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Convert\]::FromBase64String</field>
    </rule>
    <rule id="900978" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-noni</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
    </rule>
    <rule id="900979" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-ep</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Enc</field>
    </rule>
    <rule id="900980" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)HKCU\\+software\\+microsoft\\+windows\\+currentversion\\+run</field>
    </rule>
    <rule id="900981" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-noprofile</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-windowstyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)system\.net\.webclient</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.download</field>
    </rule>
    <rule id="900982" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Net\.WebClient</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.Download</field>
    </rule>
    <rule id="900983" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://community\.chocolatey\.org/install\.ps1</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)\(New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://chocolatey\.org/install\.ps1'$</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)Write\-ChocolateyWarning</field>
    </rule>
    <rule id="900984" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Change User Agents with WebRequest</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-WebRequest</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-UserAgent\ )</field>
    </rule>
    <rule id="900985" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Suspicious IO.FileStream</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)IO\.FileStream</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+\.\\+</field>
    </rule>
    <rule id="900986" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.credential_access</id>
            <id>attack.t1056.001</id>
        </mitre>
        <description>Potential Keylogger Activity</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Windows\.Input\.Keyboard\]::IsKeyDown\(\[System\.Windows\.Input\.Key\]::</field>
    </rule>
    <rule id="900987" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Suspicious PowerShell Keywords</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Reflection\.Assembly\.Load\(\$|\[System\.Reflection\.Assembly\]::Load\(\$|\[Reflection\.Assembly\]::Load\(\$|System\.Reflection\.AssemblyName|Reflection\.Emit\.AssemblyBuilderAccess|Reflection\.Emit\.CustomAttributeBuilder|Runtime\.InteropServices\.UnmanagedType|Runtime\.InteropServices\.DllImportAttribute|SuspendThread|rundll32</field>
    </rule>
    <rule id="900988" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-localgroup|Get\-LocalGroupMember</field>
    </rule>
    <rule id="900989" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-WMIObject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_Group</field>
    </rule>
    <rule id="900990" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1114.001</id>
        </mitre>
        <description>Powershell Local Email Collection</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Inbox\.ps1|Microsoft\.Office\.Interop\.Outlook|Microsoft\.Office\.Interop\.Outlook\.olDefaultFolders|\-comobject\ outlook\.application</field>
    </rule>
    <rule id="900991" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.005</id>
        </mitre>
        <description>PowerShell Deleted Mounted Share</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-SmbShare|Remove\-FileShare</field>
    </rule>
    <rule id="900992" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.005</id>
        </mitre>
        <description>Suspicious Mount-DiskImage</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Mount\-DiskImage\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ImagePath\ )</field>
    </rule>
    <rule id="900993" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.001</id>
        </mitre>
        <description>Suspicious Connection to Remote Account</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.DirectoryServices\.Protocols\.LdapDirectoryIdentifier|System\.Net\.NetworkCredential|System\.DirectoryServices\.Protocols\.LdapConnection</field>
    </rule>
    <rule id="900994" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Suspicious New-PSDrive to Admin Share</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-PSDrive</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-psprovider\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)filesystem</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-root\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$</field>
    </rule>
    <rule id="900995" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>Suspicious TCP Tunnel Via PowerShell Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Net\.HttpWebRequest\]</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.Sockets\.TcpListener</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)AcceptTcpClient</field>
    </rule>
    <rule id="900996" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1531</id>
        </mitre>
        <description>Remove Account From Domain Admin Group</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-ADGroupMember</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Identity\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Members\ )</field>
    </rule>
    <rule id="900997" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1027</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Using Alias Cmdlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Alias\ |New\-Alias\ )</field>
    </rule>
    <rule id="900998" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Information for SMB Share</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-smbshare</field>
    </rule>
    <rule id="900999" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1573</id>
        </mitre>
        <description>Suspicious SSL Connection</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.Security\.SslStream</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Net\.Security\.RemoteCertificateValidationCallback</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.AuthenticateAsClient</field>
    </rule>
    <rule id="901000" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Start-Process PassThru</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Start\-Process</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-PassThru\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-FilePath\ )</field>
    </rule>
    <rule id="901001" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.005</id>
        </mitre>
        <description>Suspicious Unblock-File</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Unblock\-File\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Path\ )</field>
    </rule>
    <rule id="901002" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Replace Desktop Wallpaper by Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ItemProperty</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Registry::</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WallPaper</field>
    </rule>
    <rule id="901003" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Replace Desktop Wallpaper by Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SystemParametersInfo$20,0,.+,3$</field>
    </rule>
    <rule id="901004" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1120</id>
        </mitre>
        <description>Powershell Suspicious Win32_PnPEntity</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_PnPEntity</field>
    </rule>
    <rule id="901005" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Delete Volume Shadow Copies via WMI with PowerShell - PS Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-WmiObject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_Shadowcopy</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.Delete</field>
    </rule>
    <rule id="901006" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.003</id>
        </mitre>
        <description>Suspicious PowerShell WindowStyle Option</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WindowStyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)\$PSScriptRoot\\+Module\\+WorkspaceScriptModule\\+WorkspaceScriptModule</field>
    </rule>
    <rule id="901007" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>PowerShell Write-EventLog Usage</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Write\-EventLog</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-RawData\ )</field>
    </rule>
    <rule id="901008" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Zip A Folder With PowerShell For Staging In Temp - PowerShell Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP|Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+|Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901009" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>SyncAppvPublishingServer Execution to Bypass Powershell Restriction</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SyncAppvPublishingServer\.exe</field>
    </rule>
    <rule id="901010" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper Windows Defender - ScriptBlockLogging</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-MpPreference</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-dbaf\ \$true|\-dbaf\ 1|\-dbm\ \$true|\-dbm\ 1|\-dips\ \$true|\-dips\ 1|\-DisableArchiveScanning\ \$true|\-DisableArchiveScanning\ 1|\-DisableBehaviorMonitoring\ \$true|\-DisableBehaviorMonitoring\ 1|\-DisableBlockAtFirstSeen\ \$true|\-DisableBlockAtFirstSeen\ 1|\-DisableCatchupFullScan\ \$true|\-DisableCatchupFullScan\ 1|\-DisableCatchupQuickScan\ \$true|\-DisableCatchupQuickScan\ 1|\-DisableIntrusionPreventionSystem\ \$true|\-DisableIntrusionPreventionSystem\ 1|\-DisableIOAVProtection\ \$true|\-DisableIOAVProtection\ 1|\-DisableRealtimeMonitoring\ \$true|\-DisableRealtimeMonitoring\ 1|\-DisableRemovableDriveScanning\ \$true|\-DisableRemovableDriveScanning\ 1|\-DisableScanningMappedNetworkDrivesForFullScan\ \$true|\-DisableScanningMappedNetworkDrivesForFullScan\ 1|\-DisableScanningNetworkFiles\ \$true|\-DisableScanningNetworkFiles\ 1|\-DisableScriptScanning\ \$true|\-DisableScriptScanning\ 1|\-MAPSReporting\ \$false|\-MAPSReporting\ 0|\-drdsc\ \$true|\-drdsc\ 1|\-drtm\ \$true|\-drtm\ 1|\-dscrptsc\ \$true|\-dscrptsc\ 1|\-dsmndf\ \$true|\-dsmndf\ 1|\-dsnf\ \$true|\-dsnf\ 1|\-dss\ \$true|\-dss\ 1</field>
    </rule>
    <rule id="901011" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Testing Usage of Uncommonly Used Port</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Test\-NetConnection</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ComputerName\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-port\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)(?:\ 443\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)(?:\ 80\ )</field>
    </rule>
    <rule id="901012" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.006</id>
        </mitre>
        <description>Powershell Timestomp</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.CreationTime\ =|\.LastWriteTime\ =|\.LastAccessTime\ =|\[IO\.File\]::SetCreationTime|\[IO\.File\]::SetLastAccessTime|\[IO\.File\]::SetLastWriteTime</field>
    </rule>
    <rule id="901013" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.009</id>
        </mitre>
        <description>Powershell Token Obfuscation - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\w+`(\w+|-|.)`[\w+|\s]</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)"(\{\d\}){2,}"\s*-f</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)it\ will\ return\ true\ or\ false\ instead</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)The\ function\ also\ prevents\ `Get\-ItemProperty`\ from\ failing</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+bin\\+servicecontrol\.ps1)</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)`r`n</field>
    </rule>
    <rule id="901014" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>User Discovery And Export Via Get-ADUser Cmdlet - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-ADUser\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Filter\ \\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ &gt;\ |\ \|\ Select\ |Out\-File|Set\-Content|Add\-Content</field>
    </rule>
    <rule id="901015" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Abuse of Service Permissions to Hide Services Via Set-Service - PS</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Service\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DCLCWPDTSD</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-SecurityDescriptorSddl\ |\-sd\ )</field>
    </rule>
    <rule id="901016" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
        </mitre>
        <description>Veeam Backup Servers Credential Dumping Script Execution</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Credentials\]</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Veeam\.Backup\.Common\.ProtectedStorage\]::GetLocalString</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-Sqlcmd</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Veeam\ Backup\ and\ Replication</field>
    </rule>
    <rule id="901017" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Usage Of Web Request Commands And Cmdlets - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Net\.WebRequest\]::create|curl\ |Invoke\-RestMethod|Invoke\-WebRequest|iwr\ |Net\.WebClient|Resume\-BitsTransfer|Start\-BitsTransfer|wget\ |WinHttp\.WinHttpRequest</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+)</field>
    </rule>
    <rule id="901018" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>PowerShell WMI Win32_Product Install MSI</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Invoke\-CimMethod\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ClassName\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Win32_Product\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-MethodName\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.msi</field>
    </rule>
    <rule id="901019" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)VirtualAlloc</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OpenProcess</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WriteProcessMemory</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)CreateRemoteThread</field>
    </rule>
    <rule id="901020" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OpenProcessToken</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)LookupPrivilegeValue</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)AdjustTokenPrivileges</field>
    </rule>
    <rule id="901021" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OpenProcessToken</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DuplicateTokenEx</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)CloseHandle</field>
    </rule>
    <rule id="901022" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WriteProcessMemory</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)VirtualAlloc</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ReadProcessMemory</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)VirtualFree</field>
    </rule>
    <rule id="901023" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>WMImplant Hack Tool</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:WMImplant|\ change_user\ |\ gen_cli\ |\ command_exec\ |\ disable_wdigest\ |\ disable_winrm\ |\ enable_wdigest\ |\ enable_winrm\ |\ registry_mod\ |\ remote_posh\ |\ sched_job\ |\ service_mod\ |\ process_kill\ |\ active_users\ |\ basic_info\ |\ power_off\ |\ vacant_system\ |\ logon_events\ )</field>
    </rule>
    <rule id="901024" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>Powershell WMI Persistence</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:New\-CimInstance\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Namespace\ root/subscription\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ClassName\ __EventFilter\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Property\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:New\-CimInstance\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Namespace\ root/subscription\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ClassName\ CommandLineEventConsumer\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Property\ )</field>
    </rule>
    <rule id="901025" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>WMIC Unquoted Services Path Lookup - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-WmiObject\ |gwmi\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ Win32_Service\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Name</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DisplayName</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PathName</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)StartMode</field>
    </rule>
    <rule id="901026" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Suspicious X509Enrollment - Ps Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)X509Enrollment\.CBinaryConverter|884e2002\-217d\-11da\-b2a4\-000e7bbb2b09</field>
    </rule>
    <rule id="901027" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.003</id>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
            <id>attack.g0069</id>
            <id>attack.g0080</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP Execution Process Access</description>
        <options>no_full_log</options>
        <group>windows,process_access,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)cmlua\.dll</field>
    </rule>
    <rule id="901028" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>HackTool - CobaltStrike BOF Injection Pattern</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^C:\\+Windows\\+SYSTEM32\\+ntdll\.dll\+[a-z0-9]{4,6}\|C:\\+Windows\\+System32\\+KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN$[A-Z0-9]{16}$$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1028|0x1fffff</field>
    </rule>
    <rule id="901029" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>HackTool - Generic Process Access</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+Akagi\.exe|\\+Akagi64\.exe|\\+atexec_windows\.exe|\\+Certify\.exe|\\+Certipy\.exe|\\+CoercedPotato\.exe|\\+crackmapexec\.exe|\\+CreateMiniDump\.exe|\\+dcomexec_windows\.exe|\\+dpapi_windows\.exe|\\+findDelegation_windows\.exe|\\+GetADUsers_windows\.exe|\\+GetNPUsers_windows\.exe|\\+getPac_windows\.exe|\\+getST_windows\.exe|\\+getTGT_windows\.exe|\\+GetUserSPNs_windows\.exe|\\+gmer\.exe|\\+hashcat\.exe|\\+htran\.exe|\\+ifmap_windows\.exe|\\+impersonate\.exe|\\+Inveigh\.exe|\\+LocalPotato\.exe|\\+mimikatz_windows\.exe|\\+mimikatz\.exe|\\+netview_windows\.exe|\\+nmapAnswerMachine_windows\.exe|\\+opdump_windows\.exe|\\+PasswordDump\.exe|\\+Potato\.exe|\\+PowerTool\.exe|\\+PowerTool64\.exe|\\+psexec_windows\.exe|\\+PurpleSharp\.exe|\\+pypykatz\.exe|\\+QuarksPwDump\.exe|\\+rdp_check_windows\.exe|\\+Rubeus\.exe|\\+SafetyKatz\.exe|\\+sambaPipe_windows\.exe|\\+SelectMyParent\.exe|\\+SharpChisel\.exe|\\+SharPersist\.exe|\\+SharpEvtMute\.exe|\\+SharpImpersonation\.exe|\\+SharpLDAPmonitor\.exe|\\+SharpLdapWhoami\.exe|\\+SharpUp\.exe|\\+SharpView\.exe|\\+smbclient_windows\.exe|\\+smbserver_windows\.exe|\\+sniff_windows\.exe|\\+sniffer_windows\.exe|\\+split_windows\.exe|\\+SpoolSample\.exe|\\+Stracciatella\.exe|\\+SysmonEOP\.exe|\\+temp\\+rot\.exe|\\+ticketer_windows\.exe|\\+TruffleSnout\.exe|\\+winPEASany_ofs\.exe|\\+winPEASany\.exe|\\+winPEASx64_ofs\.exe|\\+winPEASx64\.exe|\\+winPEASx86_ofs\.exe|\\+winPEASx86\.exe|\\+xordump\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)\\+goldenPac|\\+just_dce_|\\+karmaSMB|\\+kintercept|\\+LocalPotato|\\+ntlmrelayx|\\+rpcdump|\\+samrdump|\\+secretsdump|\\+smbexec|\\+smbrelayx|\\+wmiexec|\\+wmipersist|HotPotato|Juicy\ Potato|JuicyPotato|PetitPotam|RottenPotato</field>
    </rule>
    <rule id="901030" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz Duplicating LSASS Handle</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1440</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+ntdll\.dll\+)</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)\|UNKNOWN$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)(?:$)$</field>
    </rule>
    <rule id="901031" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
            <id>attack.t1055.003</id>
        </mitre>
        <description>HackTool - LittleCorporal Generated Maldoc Injection</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+v2\.</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)UNKNOWN</field>
    </rule>
    <rule id="901032" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SysmonEnte Execution</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i):\\+Windows\\+Sysmon\.exe|:\\+Windows\\+Sysmon64\.exe</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1400</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
    </rule>
    <rule id="901033" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SysmonEnte Execution</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i):\\+Windows\\+Sysmon\.exe|:\\+Windows\\+Sysmon64\.exe</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1400</field>
    </rule>
    <rule id="901034" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SysmonEnte Execution</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)Ente</field>
    </rule>
    <rule id="901035" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Lsass Memory Dump via Comsvcs DLL</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)comsvcs\.dll</field>
    </rule>
    <rule id="901036" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>LSASS Memory Access by Tool With Dump Keyword In Name</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)dump</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:10|30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2|FF)$</field>
    </rule>
    <rule id="901037" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potential Credential Dumping Activity Via LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1038|0x1438|0x143a|0x1fffff</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)dbgcore\.dll|dbghelp\.dll|kernel32\.dll|kernelbase\.dll|ntdll\.dll</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="901038" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potential Credential Dumping Activity Via LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1038|0x1438|0x143a|0x1fffff</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)dbgcore\.dll|dbghelp\.dll|kernel32\.dll|kernelbase\.dll|ntdll\.dll</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\\+thor\\+thor64\.exe\+</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|UNKNOWN\(</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x103800</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Sysmon64\.exe)$</field>
    </rule>
    <rule id="901039" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0349</id>
        </mitre>
        <description>Credential Dumping Activity By Python Based Tool</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)_ctypes\.pyd\+</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i):\\+Windows\\+System32\\+KERNELBASE\.dll\+</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i):\\+Windows\\+SYSTEM32\\+ntdll\.dll\+</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)python27\.dll\+|python3.+\.dll\+</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1FFFFF</field>
    </rule>
    <rule id="901040" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1003.001</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Remote LSASS Process Access Through Windows Remote Management</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?::\\+Windows\\+system32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x80000000</field>
    </rule>
    <rule id="901041" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious LSASS Access Via MalSecLogon</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x14c0</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)seclogon\.dll</field>
    </rule>
    <rule id="901042" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potentially Suspicious GrantedAccess Flags On LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x100000|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|.:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Definition\ Updates\\+\{</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\}\\+mpengine\.dll\+</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x1418</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|c:\\+program\ files\\+windows\ defender\\+mprtp\.dll</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|c:\\+program\ files\\+windows\ defender\\+MpClient\.dll</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x401</field>
    </rule>
    <rule id="901043" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potentially Suspicious GrantedAccess Flags On LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x100000|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+ProgramData\\+MALWAREBYTES\\+MBAMSERVICE\\+ctlrupdate\\+mbupdatr\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+VMware\\+VMware\ Tools\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+PROCEXP64\.EXE)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+PROCEXP\.EXE)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x40</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MBAMInstallerService\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x40</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\-64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x40</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x40</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x401</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+SteamLibrary\\+steamapps\\+</field>
    </rule>
    <rule id="901044" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Credential Dumping Attempt Via WerFault</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1FFFFF</field>
    </rule>
    <rule id="901045" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>LSASS Access From Potentially White-Listed Processes</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+TrolleyExpress\.exe|\\+ProcessDump\.exe|\\+dump64\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:10|30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2|FF)$</field>
    </rule>
    <rule id="901046" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential Direct Syscall of NtOpenProcess</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:UNKNOWN)</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:vcredist_x64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:vcredist_x64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.providerName" negate="yes" type="pcre2">(?i)Microsoft\-Windows\-Kernel\-Audit\-API\-Calls</field>
    </rule>
    <rule id="901047" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential Direct Syscall of NtOpenProcess</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:UNKNOWN)</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+systeminfo\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:setup64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Explorer\.EXE)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Cylance\\+Desktop\\+CylanceUI\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:AmazonSSMAgentSetup\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:AmazonSSMAgentSetup\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Discord\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+Discord\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+yammerdesktop\\+app\-</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+Yammer\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+yammerdesktop\\+app\-</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+Yammer\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x1000</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+Evernote\\+Evernote\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Adobe\\+Acrobat\ DC\\+Acrobat\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AcroCEF\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Adobe\\+Acrobat\ DC\\+Acrobat\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AcroCEF\.exe)$</field>
    </rule>
    <rule id="901048" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Potential NT API Stub Patching</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1FFFFF</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+SYSTEM32\\+ntdll\.dll\+)</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)\|UNKNOWN$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)(?:$)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+taskhostw\.exe</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+taskhost\.exe</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework\\+v</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+v</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+NGenTask\.exe)$</field>
    </rule>
    <rule id="901049" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Potential NT API Stub Patching</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1FFFFF</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+SYSTEM32\\+ntdll\.dll\+)</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)\|UNKNOWN$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)(?:$)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+app\-</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+GitHubDesktop\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+resources\\+app\\+git\\+usr\\+bin\\+sh\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+app\-</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+stage\\+Teams\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+SysWOW64\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+stage\\+Teams\.exe)$</field>
    </rule>
    <rule id="901050" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Potential Shellcode Injection</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x147a|0x1f3fff</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)UNKNOWN</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Dell\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Dell\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Dell\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Dell\\+</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x1F3FFF</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+System32\\+ntdll\.dll)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Dell\\+UpdateService\\+ServiceShell\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Explorer\.EXE)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)0x1F3FFF</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+System32\\+ntdll\.dll)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+2022\\+Community\\+Common7\\+IDE\\+PerfWatson2\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+2019\\+Community\\+Common7\\+IDE\\+PerfWatson2\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+2022\\+Community\\+Common7\\+IDE\\+devenv\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+2019\\+Community\\+Common7\\+IDE\\+devenv\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+System32\\+ntdll\.dll)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MSBuild\\+Current\\+Bin\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Dell\\+DellDataVault\\+DDVDataCollector\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+Wbem\\+Wmiprvse\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+lsass\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+SYSTEM32\\+ntdll\.dll)</field>
    </rule>
    <rule id="901051" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1548</id>
        </mitre>
        <description>Credential Dumping Attempt Via Svchost</description>
        <options>no_full_log</options>
        <group>windows,process_access,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x143a</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
    </rule>
    <rule id="901052" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Suspicious Svchost Process Access</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1F3FFF</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)UNKNOWN</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MSBuild\\+Current\\+Bin\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)Microsoft\.Build\.ni\.dll</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)System\.ni\.dll</field>
    </rule>
    <rule id="901053" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Function Call From Undocumented COM Interface EditionUpgradeManager</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)editionupgrademanagerobj\.dll</field>
    </rule>
    <rule id="901054" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using WOW64 Logger DLL Hijack</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1fffff</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:UNKNOWN$0000000000000000$\|UNKNOWN$0000000000000000$\|)</field>
    </rule>
    <rule id="901055" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious AddinUtil.EXE CommandLine Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AddInUtil\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:|\-PipelineRoot:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901056" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious AddinUtil.EXE CommandLine Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AddInUtil\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:|\-PipelineRoot:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:\.|\-AddInRoot:"\."|\-PipelineRoot:\.|\-PipelineRoot:"\."</field>
        <field name="win.eventdata.currentDirectory" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901057" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon Child Process Of AddinUtil.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+werfault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+werfault\.exe)$</field>
    </rule>
    <rule id="901058" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon AddinUtil.EXE CommandLine Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AddInUtil\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:|\-PipelineRoot:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-AddInRoot:"C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-AddInRoot:C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-PipelineRoot:"C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-PipelineRoot:C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
    </rule>
    <rule id="901059" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>AddinUtil.EXE Execution From Uncommon Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AddInUtil\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
    </rule>
    <rule id="901060" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious AgentExecutor PowerShell Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AgentExecutor\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AgentExecutor\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-powershell|\ \-remediationScript</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+</field>
    </rule>
    <rule id="901061" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Uncommon Child Process Of Appvlp.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+appvlp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+rundll32\.exe)$</field>
    </rule>
    <rule id="901062" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Uncommon Child Process Of Appvlp.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+appvlp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msoasb\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+SkypeSrv\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SKYPESERVER\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MSOUC\.EXE)$</field>
    </rule>
    <rule id="901063" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>AspNetCompiler Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+Microsoft\.NET\\+Framework\\+|C:\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+aspnet_compiler\.exe)$</field>
    </rule>
    <rule id="901064" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Potentially Suspicious ASP.NET Compilation Via AspNetCompiler</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+Microsoft\.NET\\+Framework\\+|C:\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+aspnet_compiler\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp\\+|\\+AppData\\+Local\\+Roaming\\+|:\\+Temp\\+|:\\+Windows\\+Temp\\+|:\\+Windows\\+System32\\+Tasks\\+|:\\+Windows\\+Tasks\\+</field>
    </rule>
    <rule id="901065" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AtBroker\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AtBroker\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)animations</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)audiodescription</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)caretbrowsing</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)caretwidth</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)colorfiltering</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)cursorindicator</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)cursorscheme</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)filterkeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)focusborderheight</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)focusborderwidth</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)highcontrast</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)keyboardcues</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)keyboardpref</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)livecaptions</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)magnifierpane</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)messageduration</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)minimumhitradius</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)mousekeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Narrator</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)osk</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)overlappedcontent</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)showsounds</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)soundsentry</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)speechreco</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)stickykeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)togglekeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)voiceaccess</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowarranging</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowtracking</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowtrackingtimeout</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowtrackingzorder</field>
    </rule>
    <rule id="901066" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AtBroker\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AtBroker\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Oracle_JavaAccessBridge</field>
    </rule>
    <rule id="901067" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Hiding Files with Attrib.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+attrib\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ATTRIB\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \+h\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+desktop\.ini\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\+R\ \+H\ \+S\ \+A\ \\+.+\.cui</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+.+\.bat</field>
    </rule>
    <rule id="901068" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Set Suspicious Files as System Files Using Attrib.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+attrib\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ATTRIB\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \+s</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ %|\\+Users\\+Public\\+|\\+AppData\\+Local\\+|\\+ProgramData\\+|\\+Downloads\\+|\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat|\.dll|\.exe|\.hta|\.ps1|\.vbe|\.vbs</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.exe</field>
    </rule>
    <rule id="901069" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1053.002</id>
        </mitre>
        <description>Interactive AT Job</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+at\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)interactive</field>
    </rule>
    <rule id="901070" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Audit Policy Tampering Via NT Resource Kit Auditpol</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/logon:none|/system:none|/sam:none|/privilege:none|/object:none|/process:none|/policy:none</field>
    </rule>
    <rule id="901071" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Indirect Command Execution From Script File Via Bash.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+bash\.exe|:\\+Windows\\+SysWOW64\\+bash\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Bash\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)bash\.exe\ \-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)bash\ \-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)bash\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)bash</field>
    </rule>
    <rule id="901072" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Uncommon Child Process Of BgInfo.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+bginfo\.exe|\\+bginfo64\.exe)$</field>
    </rule>
    <rule id="901073" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
            <id>attack.s0190</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>File Download Via Bitsadmin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)bitsadmin\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /transfer\ )</field>
    </rule>
    <rule id="901074" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
            <id>attack.s0190</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Download From Direct IP Via Bitsadmin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)bitsadmin\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /transfer\ |\ /create\ |\ /addfile\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://1|://2|://3|://4|://5|://6|://7|://8|://9</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://7\-</field>
    </rule>
    <rule id="901075" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1197</id>
        </mitre>
        <description>Monitoring For Persistence Via BITS</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)bitsadmin\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/SetNotifyCmdLine</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%COMSPEC%|cmd\.exe|regsvr32\.exe</field>
    </rule>
    <rule id="901076" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1185</id>
        </mitre>
        <description>Potential Data Stealing Via Chromium Headless Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-remote\-debugging\-</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-user\-data\-dir</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-headless</field>
    </rule>
    <rule id="901077" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Browser Execution In Headless Mode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-headless</field>
    </rule>
    <rule id="901078" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>File Download with Headless Browser</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-headless</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dump\-dom</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="901079" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1176</id>
        </mitre>
        <description>Chromium Browser Instance Executed With Custom Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-load\-extension=</field>
    </rule>
    <rule id="901080" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1176</id>
        </mitre>
        <description>Suspicious Chromium Browser Instance Executed With Custom Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-load\-extension=</field>
    </rule>
    <rule id="901081" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1185</id>
        </mitre>
        <description>Browser Started with Remote Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-remote\-debugging\-</field>
    </rule>
    <rule id="901082" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1185</id>
        </mitre>
        <description>Browser Started with Remote Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+firefox\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-start\-debugger\-server</field>
    </rule>
    <rule id="901083" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.003</id>
        </mitre>
        <description>Tor Client/Browser Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tor\.exe|\\+Tor\ Browser\\+Browser\\+firefox\.exe)$</field>
    </rule>
    <rule id="901084" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Calculator Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+calc\.exe\ )</field>
    </rule>
    <rule id="901085" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Calculator Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
    </rule>
    <rule id="901086" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious File Downloaded From Direct IP Via Certutil.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)CertUtil\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:urlcache\ |verifyctl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://1|://2|://3|://4|://5|://6|://7|://8|://9</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://7\-</field>
    </rule>
    <rule id="901087" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1614.001</id>
        </mitre>
        <description>Console CodePage Lookup Via CHCP</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-c\ |\ \-r\ |\ \-k\ )</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+chcp\.com)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:chcp|chcp\ |chcp\ \ )$</field>
    </rule>
    <rule id="901088" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1036</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious CodePage Switch Via CHCP</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+chcp\.com)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ 936|\ 1258)$</field>
    </rule>
    <rule id="901089" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Access via TrolleyExpress Exclusion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+TrolleyExpress\ 7|\\+TrolleyExpress\ 8|\\+TrolleyExpress\ 9|\\+TrolleyExpress\.exe\ 7|\\+TrolleyExpress\.exe\ 8|\\+TrolleyExpress\.exe\ 9|\\+TrolleyExpress\.exe\ \-ma\ )</field>
    </rule>
    <rule id="901090" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Access via TrolleyExpress Exclusion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+TrolleyExpress\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)CtxInstall</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901091" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1115</id>
        </mitre>
        <description>Data Copied To Clipboard Via Clip.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+clip\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)clip\.exe</field>
    </rule>
    <rule id="901092" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Cloudflared Portable Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cloudflared\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+cloudflared\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+cloudflared\\+</field>
    </rule>
    <rule id="901093" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Cloudflared Quick Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cloudflared\.exe|\\+cloudflared\-windows\-386\.exe|\\+cloudflared\-windows\-amd64\.exe)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29|SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8|SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039|SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28|SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7|SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373|SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670|SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a|SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0|SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1|SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2|SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac|SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f|SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d|SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499|SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b|SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f|SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032|SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234|SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f|SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058|SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c|SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f|SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5|SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3|SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4|SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c|SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4|SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f|SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad|SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7|SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75|SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6|SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688|SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f|SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663|SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77|SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-url</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-url|\.exe\ \-\-url</field>
    </rule>
    <rule id="901094" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Cloudflared Quick Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-url</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-no\-autoupdate</field>
    </rule>
    <rule id="901095" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
            <id>attack.t1090</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Cloudflared Tunnel Connections Cleanup</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cleanup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-connector\-id\ )</field>
    </rule>
    <rule id="901096" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
            <id>attack.t1090</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Cloudflared Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ run\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-credentials\-contents\ |\-credentials\-file\ |\-token\ )</field>
    </rule>
    <rule id="901097" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Change Default File Association To Executable Via Assoc</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:assoc\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)exefile</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.exe=exefile</field>
    </rule>
    <rule id="901098" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Curl Download And Execute Combination</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:curl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-o</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;</field>
    </rule>
    <rule id="901099" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1217</id>
        </mitre>
        <description>File Enumeration Via Dir Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)dir.+\-s</field>
    </rule>
    <rule id="901100" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential Dosfuscation Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\^\^|\^\|\^|,;,|;;;;|;;\ ;;|\(,\(,|%COMSPEC:\~|\ c\^m\^d|\^c\^m\^d|\ c\^md|\ cm\^d|\^cm\^d|\ s\^et\ |\ s\^e\^t\ |\ se\^t\ )</field>
    </rule>
    <rule id="901101" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.command_and_control</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Command Line Execution with Suspicious URL and AppData Strings</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%AppData%</field>
    </rule>
    <rule id="901102" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>VolumeShadowCopy Symlink Creation Via Mklink</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mklink</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HarddiskVolumeShadowCopy</field>
    </rule>
    <rule id="901103" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe/c|\\+cmd/c|"cmd/c|cmd\.exe/k|\\+cmd/k|"cmd/k|cmd\.exe/r|\\+cmd/r|"cmd/r</field>
    </rule>
    <rule id="901104" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/cwhoami|/cpowershell|/cschtasks|/cbitsadmin|/ccertutil|/kwhoami|/kpowershell|/kschtasks|/kbitsadmin|/kcertutil</field>
    </rule>
    <rule id="901105" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /c|cmd\ /c|cmd\.exe\ /k|cmd\ /k|cmd\.exe\ /r|cmd\ /r</field>
    </rule>
    <rule id="901106" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe\ /k\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\ /k\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe\ /r\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\ /r\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+resources\\+app\\+node_modules</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe/c\ \.)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)cmd\.exe\ /c</field>
    </rule>
    <rule id="901107" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>NtdllPipe Like Activity Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)type\ %windir%\\+system32\\+ntdll\.dll|type\ %systemroot%\\+system32\\+ntdll\.dll|type\ c:\\+windows\\+system32\\+ntdll\.dll|\\+ntdll\.dll\ &gt;\ \\+\.\\+pipe\\+</field>
    </rule>
    <rule id="901108" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Potential CommandLine Path Traversal Via Cmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)cmd\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/c|/k|/r</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c|/k|/r</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/\.\./\.\./</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/\.\./\.\./</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Tasktop\\+keycloak\\+bin\\+/\.\./\.\./jre\\+bin\\+java</field>
    </rule>
    <rule id="901109" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious CMD Shell Output Redirect</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)&gt;.%APPDATA%\\+|&gt;.%TEMP%\\+|&gt;.%TMP%\\+|&gt;.%USERPROFILE%\\+|&gt;.C:\\+ProgramData\\+|&gt;.C:\\+Temp\\+|&gt;.C:\\+Users\\+Public\\+|&gt;.C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901110" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious CMD Shell Output Redirect</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ &gt;|"&gt;|'&gt;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
    </rule>
    <rule id="901111" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Copy From VolumeShadowCopy Via Cmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+.\\+GLOBALROOT\\+Device\\+HarddiskVolumeShadowCopy</field>
    </rule>
    <rule id="901112" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1546.008</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Persistence Via Sticky Key Backdoor</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/y\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+windows\\+system32\\+cmd\.exe\ C:\\+windows\\+system32\\+sethc\.exe</field>
    </rule>
    <rule id="901113" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.008</id>
            <id>car.2014-11-003</id>
            <id>car.2014-11-008</id>
        </mitre>
        <description>Sticky Key Like Backdoor Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+winlogon\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe|\\+wt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)sethc\.exe|utilman\.exe|osk\.exe|Magnify\.exe|Narrator\.exe|DisplaySwitch\.exe</field>
    </rule>
    <rule id="901114" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Unusual Parent Process For Cmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+csrss\.exe|\\+ctfmon\.exe|\\+dllhost\.exe|\\+epad\.exe|\\+FlashPlayerUpdateService\.exe|\\+GoogleUpdate\.exe|\\+jucheck\.exe|\\+jusched\.exe|\\+LogonUI\.exe|\\+lsass\.exe|\\+regsvr32\.exe|\\+SearchIndexer\.exe|\\+SearchProtocolHost\.exe|\\+SIHClient\.exe|\\+sihost\.exe|\\+slui\.exe|\\+spoolsv\.exe|\\+sppsvc\.exe|\\+taskhostw\.exe|\\+unsecapp\.exe|\\+WerFault\.exe|\\+wermgr\.exe|\\+wlanext\.exe|\\+WUDFHost\.exe)$</field>
    </rule>
    <rule id="901115" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218.003</id>
            <id>attack.g0069</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP Execution Process Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
    </rule>
    <rule id="901116" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious High IntegrityLevel Conhost Legacy Option</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)conhost\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0xffffffff</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ForceV1</field>
    </rule>
    <rule id="901117" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Conhost.exe CommandLine Path Traversal</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)conhost</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/\.\./\.\./</field>
    </rule>
    <rule id="901118" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Uncommon Child Process Of Conhost.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="901119" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Uncommon Child Process Of Conhost.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.providerName" negate="yes" type="pcre2">(?i)SystemTraceProvider\-Process</field>
    </rule>
    <rule id="901120" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Conhost Spawned By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+lsass\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+services\.exe|\\+smss\.exe|\\+spoolsv\.exe|\\+svchost\.exe|\\+userinit\.exe|\\+wininit\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ apphost\ \-s\ AppHostSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ imgsvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ localService\ \-p\ \-s\ RemoteRegistry</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ LocalSystemNetworkRestricted\ \-p\ \-s\ NgcSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ NetSvcs\ \-p\ \-s\ NcaSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ netsvcs\ \-p\ \-s\ NetSetupSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ netsvcs\ \-p\ \-s\ wlidsvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ NetworkService\ \-p\ \-s\ DoSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ wsappx\ \-p\ \-s\ AppXSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ wsappx\ \-p\ \-s\ ClipSVC</field>
    </rule>
    <rule id="901121" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Conhost Spawned By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+lsass\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+services\.exe|\\+smss\.exe|\\+spoolsv\.exe|\\+svchost\.exe|\\+userinit\.exe|\\+wininit\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Dropbox\\+Client\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Dropbox\\+Client\\+</field>
    </rule>
    <rule id="901122" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.002</id>
            <id>attack.persistence</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Control Panel Items</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)CurrentVersion\\+Control\ Panel\\+CPLs</field>
    </rule>
    <rule id="901123" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.002</id>
            <id>attack.persistence</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Control Panel Items</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.cpl)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+System32\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)%System%</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\|C:\\+Windows\\+system32\|</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:regsvr32\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /s\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)igfxCPL\.cpl</field>
    </rule>
    <rule id="901124" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp\\+|\\+Temporary\ Internet|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901125" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="901126" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\+[Aa]pp[Dd]ata\\+([Ll]ocal(Ll]ow)?|[Rr]oaming))\\+[^\\+]{1,256}$</field>
    </rule>
    <rule id="901127" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+sdiagnhost\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+inetsrv\\+w3wp\.exe</field>
    </rule>
    <rule id="901128" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+chocolatey\\+choco\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+ProgramData\\+Microsoft\\+Windows\ Defender\ Advanced\ Threat\ Protection</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA</field>
    </rule>
    <rule id="901129" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)csc\.exe</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+excel\.exe|\\+mshta\.exe|\\+onenote\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901130" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)csc\.exe</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-Encoded\ |FromBase64String</field>
    </rule>
    <rule id="901131" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)csc\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\+[Aa]pp[Dd]ata\\+([Ll]ocal(Ll]ow)?|[Rr]oaming))\\+[^\\+]{1,256}$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+Temporary\ Internet</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="901132" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)csc\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+sdiagnhost\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+inetsrv\\+w3wp\.exe</field>
    </rule>
    <rule id="901133" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)csc\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+chocolatey\\+choco\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+ProgramData\\+Microsoft\\+Windows\ Defender\ Advanced\ Threat\ Protection</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA</field>
    </rule>
    <rule id="901134" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Suspicious Use of CSharp Interactive Console</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csi\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)csi\.exe</field>
    </rule>
    <rule id="901135" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Active Directory Structure Export Via Csvde.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csvde\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)csvde\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-f</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-i</field>
    </rule>
    <rule id="901136" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>File Download From IP URL Via Curl.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)curl\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-O|\-\-remote\-name|\-\-output</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.bat")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dat)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dat")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.exe")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.gif)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.gif")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.hta)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.hta")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.jpeg)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.jpeg")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.log)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.log")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.msi)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.msi")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.png)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.png")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.ps1)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.ps1")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.psm1)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.psm1")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbe")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbs)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbs")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.bat')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dat')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.exe')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.gif')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.hta')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.jpeg')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.log')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.msi')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.png')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.ps1')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.psm1')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbe')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbs')$</field>
    </rule>
    <rule id="901137" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Curl.EXE Download</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)The\ curl\ executable</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%AppData%|%Public%|%Temp%|%tmp%|\\+AppData\\+|\\+Desktop\\+|\\+Temp\\+|\\+Users\\+Public\\+|C:\\+PerfLogs\\+|C:\\+ProgramData\\+|C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901138" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Curl.EXE Download</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)The\ curl\ executable</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.dll|\.gif|\.jpeg|\.jpg|\.png|\.temp|\.tmp|\.txt|\.vbe|\.vbs)$</field>
    </rule>
    <rule id="901139" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Curl.EXE Download</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)The\ curl\ executable</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Git\\+usr\\+bin\\+sh\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Git\\+mingw64\\+bin\\+curl\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\-\-silent\ \-\-show\-error\ \-\-output\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)gfw\-httpget\-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)AppData</field>
    </rule>
    <rule id="901140" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Remote File Download Via Desktopimgdownldr Utility</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+desktopimgdownldr\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+desktopimgdownldr\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/lockscreenurl:http</field>
    </rule>
    <rule id="901141" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Desktopimgdownldr Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /lockscreenurl:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.jpg</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.jpeg</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.png</field>
    </rule>
    <rule id="901142" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Desktopimgdownldr Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg\ delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+PersonalizationCSP</field>
    </rule>
    <rule id="901143" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Arbitrary MSI Download Via Devinit.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ msi\-install\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-i\ http</field>
    </rule>
    <rule id="901144" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of ClickOnce Application</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Apps\\+2\.0\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+explorer\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+nltest\.exe|\\+notepad\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+reg\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+werfault\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901145" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1083</id>
        </mitre>
        <description>DirLister Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)DirLister\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dirlister\.exe)$</field>
    </rule>
    <rule id="901146" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of DiskShadow.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+diskshadow\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901147" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Diskshadow Script Mode - Uncommon Script Extension Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)diskshadow\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+diskshadow\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-s\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.txt</field>
    </rule>
    <rule id="901148" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Dllhost.EXE Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dllhost\.exe|dllhost</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901149" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DLL Sideloading by VMware Xfer Utility</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VMwareXferlogs\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+VMware\\+)</field>
    </rule>
    <rule id="901150" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dnscmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/serverlevelplugindll</field>
    </rule>
    <rule id="901151" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.001</id>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>DNS Exfiltration and Tunneling Tools Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+iodine\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+dnscat2</field>
    </rule>
    <rule id="901152" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Unusual Child Process of dns.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+dns\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
    </rule>
    <rule id="901153" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>DriverQuery.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:driverquery\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)drvqry\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Users\\+Public\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901154" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Dism Remove Online Package</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DismHost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/Online</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/Disable\-Feature</field>
    </rule>
    <rule id="901155" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Dism Remove Online Package</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Dism\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Online</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Disable\-Feature</field>
    </rule>
    <rule id="901156" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Kernel Dump Using Dtrace</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dtrace\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lkd$0$</field>
    </rule>
    <rule id="901157" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Kernel Dump Using Dtrace</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)syscall:::return</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lkd\(</field>
    </rule>
    <rule id="901158" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious DumpMinitool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpMinitool\.exe|\\+DumpMinitool\.x86\.exe|\\+DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)DumpMinitool\.exe|DumpMinitool\.x86\.exe|DumpMinitool\.arm64\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Extensions\\+</field>
    </rule>
    <rule id="901159" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious DumpMinitool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpMinitool\.exe|\\+DumpMinitool\.x86\.exe|\\+DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)DumpMinitool\.exe|DumpMinitool\.x86\.exe|DumpMinitool\.arm64\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.txt</field>
    </rule>
    <rule id="901160" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious DumpMinitool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpMinitool\.exe|\\+DumpMinitool\.x86\.exe|\\+DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)DumpMinitool\.exe|DumpMinitool\.x86\.exe|DumpMinitool\.arm64\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ Full</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ Mini</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ WithHeap</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-dumpType</field>
    </rule>
    <rule id="901161" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Esentutl Gather Credentials</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)esentutl</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /p</field>
    </rule>
    <rule id="901162" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
            <id>car.2013-07-001</id>
            <id>attack.s0404</id>
        </mitre>
        <description>Copying Sensitive Files with Credential Data</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+esentutl\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)\\+esentutl\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:vss|\ /m\ |\ /y\ )</field>
    </rule>
    <rule id="901163" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
            <id>car.2013-07-001</id>
            <id>attack.s0404</id>
        </mitre>
        <description>Copying Sensitive Files with Credential Data</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+windows\\+ntds\\+ntds\.dit|\\+config\\+sam|\\+config\\+security|\\+config\\+system\ |\\+repair\\+sam|\\+repair\\+system|\\+repair\\+security|\\+config\\+RegBack\\+sam|\\+config\\+RegBack\\+system|\\+config\\+RegBack\\+security</field>
    </rule>
    <rule id="901164" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>Potentially Suspicious Event Viewer Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+eventvwr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WerFault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WerFault\.exe)$</field>
    </rule>
    <rule id="901165" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Cabinet File Expansion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+expand\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-F:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+Temporary\ Internet|:\\+ProgramData|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+Temp|:\\+Windows\\+Temp</field>
    </rule>
    <rule id="901166" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Cabinet File Expansion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+expand\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-F:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="901167" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Cabinet File Expansion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+expand\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-F:</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Dell\\+UpdateService\\+ServiceShell\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Dell\\+UpdateService\\+Temp\\+</field>
    </rule>
    <rule id="901168" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Explorer Process Tree Break</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/factory,\{75dff2b7\-6936\-4c06\-a8bb\-676a7b00b24b\}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)explorer\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /root,</field>
    </rule>
    <rule id="901169" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Proxy Execution Via Explorer.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)explorer\.exe</field>
    </rule>
    <rule id="901170" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Explorer NOUACCHECK Flag</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/NOUACCHECK</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ Schedule</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
    </rule>
    <rule id="901171" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>LSASS Process Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+find\.exe|\\+findstr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)FIND\.EXE|FINDSTR\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lsass</field>
    </rule>
    <rule id="901172" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>LSASS Process Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /i\ "lsass|\ /i\ lsass\.exe|findstr\ "lsass|findstr\ lsass|findstr\.exe\ "lsass|findstr\.exe\ lsass</field>
    </rule>
    <rule id="901173" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Permission Misconfiguration Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+find\.exe|\\+findstr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)FIND\.EXE|FINDSTR\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)"Everyone"|'Everyone'|"BUILTIN\\+"|'BUILTIN\\+'</field>
    </rule>
    <rule id="901174" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Permission Misconfiguration Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:icacls\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:findstr\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Everyone</field>
    </rule>
    <rule id="901175" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1057</id>
        </mitre>
        <description>Recon Command Output Piped To Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:ipconfig\ /all\ \|\ find\ |ipconfig\ /all\ \|\ findstr\ |ipconfig\ \|\ find\ |ipconfig\ \|\ findstr\ |ipconfig\.exe\ /all\ \|\ find\ |ipconfig\.exe\ /all\ \|\ findstr\ |ipconfig\.exe\ \|\ find\ |ipconfig\.exe\ \|\ findstr\ |net\ start\ \|\ find|net\ start\ \|\ findstr|net\.exe\ start\ \|\ find|net\.exe\ start\ \|\ findstr|net1\ start\ \|\ find|net1\ start\ \|\ findstr|net1\.exe\ start\ \|\ find|net1\.exe\ start\ \|\ findstr|netstat\ \-ano\ \|\ find|netstat\ \-ano\ \|\ findstr|netstat\ \|\ find|netstat\ \|\ findstr|netstat\.exe\ \-ano\ \|\ find|netstat\.exe\ \-ano\ \|\ findstr|netstat\.exe\ \|\ find|netstat\.exe\ \|\ findstr|ping\ \|\ find|ping\ \|\ findstr|ping\.exe\ \|\ find|ping\.exe\ \|\ findstr|systeminfo\ \|\ find\ |systeminfo\ \|\ findstr\ |systeminfo\.exe\ \|\ find\ |systeminfo\.exe\ \|\ findstr\ |tasklist\ \|\ find\ |tasklist\ \|\ findstr\ |tasklist\.exe\ \|\ find\ |tasklist\.exe\ \|\ findstr\ |whoami\ /all\ \|\ find\ |whoami\ /all\ \|\ findstr\ |whoami\.exe\ /all\ \|\ find\ |whoami\.exe\ /all\ \|\ findstr\ )</field>
    </rule>
    <rule id="901176" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Finger.exe Suspicious Invocation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)finger\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+finger\.exe)$</field>
    </rule>
    <rule id="901177" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Filter Driver Unloaded Via Fltmc.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fltMC\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)fltMC\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)unload</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:unload\ rtp_filesystem_filter)$</field>
    </rule>
    <rule id="901178" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Forfiles.EXE Child Process Masquerading</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.exe|\.exe")$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:/c\ echo\ ")</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+forfiles\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
    </rule>
    <rule id="901179" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Arbitrary File Download Via GfxDownloadWrapper.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+GfxDownloadWrapper\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http://|https://</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)https://gameplayapi\.intel\.com/</field>
    </rule>
    <rule id="901180" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious GoogleUpdate Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+GoogleUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Google</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+setup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:chrome_updater\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:chrome_installer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901181" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Portable Gpg.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpg\.exe|\\+gpg2\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)gpg\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)GnuPGвЂ™s\ OpenPGP\ tool</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+GNU\\+GnuPG\\+bin\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+GnuPG\ VS\-Desktop\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+GnuPG\\+bin\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Gpg4win\\+bin\\+</field>
    </rule>
    <rule id="901182" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1615</id>
        </mitre>
        <description>Gpresult Display Group Policy Information</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpresult\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/z|/v</field>
    </rule>
    <rule id="901183" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Arbitrary Binary Execution Using GUP Utility</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+gup\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Notepad\+\+\\+notepad\+\+\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Notepad\+\+\\+updater\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901184" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>File Download Using Notepad++ GUP Utility</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+GUP\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)gup\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-unzipTo\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+notepad\+\+\.exe)$</field>
    </rule>
    <rule id="901185" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Suspicious GUP Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Roaming\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
    </rule>
    <rule id="901186" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.initial_access</id>
            <id>attack.t1047</id>
            <id>attack.t1059.001</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.t1218</id>
            <id>attack.t1218.001</id>
            <id>attack.t1218.010</id>
            <id>attack.t1218.011</id>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>HTML Help HH.EXE Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+hh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CertReq\.exe|\\+CertUtil\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+installutil\.exe|\\+MSbuild\.exe|\\+MSHTA\.EXE|\\+msiexec\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901187" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>HackTool - ADCSPwn Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-adcs\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-port\ )</field>
    </rule>
    <rule id="901188" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)SharpHound</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)SharpHound</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)SpecterOps|evil\ corp</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Bloodhound\.exe|\\+SharpHound\.exe</field>
    </rule>
    <rule id="901189" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-CollectionMethod\ All\ |\ \-\-CollectionMethods\ Session\ |\ \-\-Loop\ \-\-Loopduration\ |\ \-\-PortScanTimeout\ |\.exe\ \-c\ All\ \-d\ |Invoke\-Bloodhound|Get\-BloodHoundData</field>
    </rule>
    <rule id="901190" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-JsonFolder\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ZipFileName\ )</field>
    </rule>
    <rule id="901191" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ DCOnly\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-NoSaveCache\ )</field>
    </rule>
    <rule id="901192" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>HackTool - F-Secure C3 Load by Rundll32</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)StartNodeRelay</field>
    </rule>
    <rule id="901193" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certify.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>HackTool - Certify Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Certify\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Certify\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Certify</field>
    </rule>
    <rule id="901194" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>HackTool - Certipy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Certipy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Certipy\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Certipy</field>
    </rule>
    <rule id="901195" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\.exe\ /C\ whoami)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Temp\\+)</field>
    </rule>
    <rule id="901196" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+runonce\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /c\ echo</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)&gt;\ \\+\.\\+pipe</field>
    </rule>
    <rule id="901197" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /C\ echo</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\ &gt;\ \\+\.\\+pipe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:conhost\.exe\ 0xffffffff\ \-ForceV1)$</field>
    </rule>
    <rule id="901198" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:/C\ whoami)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:conhost\.exe\ 0xffffffff\ \-ForceV1)$</field>
    </rule>
    <rule id="901199" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CoercedPotato\.exe)$</field>
    </rule>
    <rule id="901200" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-exploitId\ )</field>
    </rule>
    <rule id="901201" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)a75d7669db6b2e107a44c4057ff7f7d6|f91624350e2c678c5dcbe5e1f24e22c9|14c81850a079a87e83d50ca41c709a15</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6|IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9|IMPHASH=14C81850A079A87E83D50CA41C709A15</field>
    </rule>
    <rule id="901202" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.001</id>
            <id>attack.t1564.003</id>
        </mitre>
        <description>HackTool - Covenant PowerShell Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Sta</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Nop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Window</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Command|\-EncodedCommand</field>
    </rule>
    <rule id="901203" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.001</id>
            <id>attack.t1564.003</id>
        </mitre>
        <description>HackTool - Covenant PowerShell Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)sv\ o\ $New\-Object\ IO\.MemorySteam$;sv\ d\ |mshta\ file\.hta|GruntHTTP|\-EncodedCommand\ cwB2ACAAbwAgA</field>
    </rule>
    <rule id="901204" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+crackmapexec\.exe)$</field>
    </rule>
    <rule id="901205" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-M\ pe_inject\ )</field>
    </rule>
    <rule id="901206" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-local\-auth</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-x\ )</field>
    </rule>
    <rule id="901207" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-local\-auth</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-H\ 'NTHASH'</field>
    </rule>
    <rule id="901208" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ mssql\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-M\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-d\ )</field>
    </rule>
    <rule id="901209" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ smb\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-H\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-M\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-o\ )</field>
    </rule>
    <rule id="901210" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ smb\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-local\-auth</field>
    </rule>
    <rule id="901211" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.s0106</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\.exe\ /Q\ /c\ .+\ 1&gt;\ \\+.+\\+.+\\+.+\ 2&gt;\&amp;1|cmd\.exe\ /C\ .+\ &gt;\ \\+.+\\+.+\\+.+\ 2&gt;\&amp;1|cmd\.exe\ /C\ .+\ &gt;\ .+\\+Temp\\+.+\ 2&gt;\&amp;1|powershell\.exe\ \-exec\ bypass\ \-noni\ \-nop\ \-w\ 1\ \-C\ "|powershell\.exe\ \-noni\ \-nop\ \-w\ 1\ \-enc\ )</field>
    </rule>
    <rule id="901212" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CrackMapExec Process Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:tasklist\ /fi\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Imagename\ eq\ lsass\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\.exe\ /c\ |cmd\.exe\ /r\ |cmd\.exe\ /k\ |cmd\ /c\ |cmd\ /r\ |cmd\ /k\ )</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
    </rule>
    <rule id="901213" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CrackMapExec Process Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)do\ rundll32\.exe\ C:\\+windows\\+System32\\+comsvcs\.dll,\ MiniDump</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%%B</field>
    </rule>
    <rule id="901214" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CrackMapExec Process Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tasklist\ /v\ /fo\ csv</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)findstr\ /i\ "lsass"</field>
    </rule>
    <rule id="901215" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CreateMiniDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CreateMiniDump\.exe)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)4a07f944a83e8a7c2525efa35dd30e2f</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f</field>
    </rule>
    <rule id="901216" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - DInjector PowerShell Cradle Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /am51</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /password</field>
    </rule>
    <rule id="901217" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - Dumpert Process Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)09D278F9DE118EF09163C6140255C690</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Dumpert\.dll</field>
    </rule>
    <rule id="901218" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>HackTool - EDRSilencer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+EDRSilencer\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)EDRSilencer\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)EDRSilencer</field>
    </rule>
    <rule id="901219" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Empire PowerShell Launch Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-NoP\ \-sta\ \-NonI\ \-W\ Hidden\ \-Enc\ |\ \-noP\ \-sta\ \-w\ 1\ \-enc\ |\ \-NoP\ \-NonI\ \-W\ Hidden\ \-enc\ |\ \-noP\ \-sta\ \-w\ 1\ \-enc|\ \-enc\ \ SQB|\ \-nop\ \-exec\ bypass\ \-EncodedCommand\ )</field>
    </rule>
    <rule id="901220" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>HackTool - Empire PowerShell UAC Bypass</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-NoP\ \-NonI\ \-w\ Hidden\ \-c\ \$x=\$$\(gp\ HKCU:Software\\+Microsoft\\+Windows\ Update$\.Update\)|\ \-NoP\ \-NonI\ \-c\ \$x=\$$\(gp\ HKCU:Software\\+Microsoft\\+Windows\ Update$\.Update\);</field>
    </rule>
    <rule id="901221" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>HackTool - WinRM Access Via Evil-WinRM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ruby\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-i\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-p\ )</field>
    </rule>
    <rule id="901222" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1588.002</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Hacktool Execution - Imphash</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)bcca3c247b619dcd13c8cdff5f123932|3a19059bd7688cb88e70005f18efc439|bf6223a49e45d99094406777eb6004ba|23867a89c2b8fc733be6cf5ef902f2d1|a37ff327f8d48e8a4d2f757e1b6e70bc|f9a28c458284584a93b14216308d31bd|6118619783fc175bc7ebecff0769b46e|959a83047e80ab68b368fdb3f4c6e4ea|563233bfa169acc7892451f71ad5850a|87575cb7a0e0700eb37f2e3668671a08|13f08707f759af6003837a150a371ba1|1781f06048a7e58b323f0b9259be798b|233f85f2d4bc9d6521a6caae11a1e7f5|24af2584cbf4d60bbe5c6d1b31b3be6d|632969ddf6dbf4e0f53424b75e4b91f2|713c29b396b907ed71a72482759ed757|749a7bb1f0b4c4455949c0b2bf7f9e9f|8628b2608957a6b0c6330ac3de28ce2e|8b114550386e31895dfab371e741123d|94cb940a1a6b65bed4d5a8f849ce9793|9d68781980370e00e0bd939ee5e6c141|b18a1401ff8f444056d29450fbc0a6ce|cb567f9498452721d77a451374955f5f|730073214094cd328547bf1f72289752|17b461a082950fc6332228572138b80c|dc25ee78e2ef4d36faa0badf1e7461c9|819b19d53ca6736448f9325a85736792|829da329ce140d873b4a8bde2cbfaa7e|c547f2e66061a8dffb6f5a3ff63c0a74|0588081ab0e63ba785938467e1b10cca|0d9ec08bac6c07d9987dfd0f1506587c|bc129092b71c89b4d4c8cdf8ea590b29|4da924cf622d039d58bce71cdf05d242|e7a3a5c377e2d29324093377d7db1c66|9a9dbec5c62f0380b4fa5fd31deffedf|af8a3976ad71e5d5fdfb67ddb8dadfce|0c477898bbf137bbd6f2a54e3b805ff4|0ca9f02b537bcea20d4ea5eb1a9fe338|3ab3655e5a14d4eefc547f4781bf7f9e|e6f9d5152da699934b30daab206471f6|3ad59991ccf1d67339b319b15a41b35d|ffdd59e0318b85a3e480874d9796d872|0cf479628d7cc1ea25ec7998a92f5051|07a2d4dcbd6cb2c6a45e6b101f0b6d51|d6d0f80386e1380d05cb78e871bc72b1|38d9e015591bbfd4929e0d0f47fa0055|0e2216679ca6e1094d63322e3412d650|ada161bf41b8e5e9132858cb54cab5fb|2a1bc4913cd5ecb0434df07cb675b798|11083e75553baae21dc89ce8f9a195e4|a23d29c9e566f2fa8ffbb79267f5df80|4a07f944a83e8a7c2525efa35dd30e2f|767637c23bb42cd5d7397cf58b0be688|14c4e4c72ba075e9069ee67f39188ad8|3c782813d4afce07bbfc5a9772acdbdc|7d010c6bb6a3726f327f7e239166d127|89159ba4dd04e4ce5559f132a9964eb3|6f33f4a5fc42b8cec7314947bd13f30f|5834ed4291bdeb928270428ebbaf7604|5a8a8a43f25485e7ee1b201edcbc7a38|dc7d30b90b2d8abf664fbed2b1b59894|41923ea1f824fe63ea5beb84db7a3e74|3de09703c8e79ed2ca3f01074719906b|a53a02b997935fd8eedcb5f7abab9b9f|e96a73c7bf33a464c510ede582318bf2|32089b8851bbf8bc2d014e9f37288c83|09D278F9DE118EF09163C6140255C690|03866661686829d806989e2fc5a72606|e57401fbdadcd4571ff385ab82bd5d6d|84B763C45C0E4A3E7CA5548C710DB4EE|19584675d94829987952432e018d5056|330768a4f172e10acb6287b87289d83b|885c99ccfbe77d1cbfcb9c4e7c1a3313|22a22bc9e4e0d2f189f1ea01748816ac|7fa30e6bb7e8e8a69155636e50bf1b28|96df3a3731912449521f6f8d183279b1|7e6cf3ff4576581271ac8a313b2aab46|51791678f351c03a0eb4e2a7b05c6e17|25ce42b079282632708fc846129e98a5|021bcca20ba3381b11bdde26b4e62f20|59223b5f52d8799d38e0754855cbdf42|81e75d8f1d276c156653d3d8813e4a43|17244e8b6b8227e57fe709ccad421420|5b76da3acdedc8a5cdf23a798b5936b4|cb2b65bb77d995cc1c0e5df1c860133c|40445337761d80cf465136fafb1f63e6|8a790f401b29fa87bc1e56f7272b3aa6|b50199e952c875241b9ce06c971ce3c1</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932|IMPHASH=3A19059BD7688CB88E70005F18EFC439|IMPHASH=bf6223a49e45d99094406777eb6004ba|IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1|IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC|IMPHASH=F9A28C458284584A93B14216308D31BD|IMPHASH=6118619783FC175BC7EBECFF0769B46E|IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA|IMPHASH=563233BFA169ACC7892451F71AD5850A|IMPHASH=87575CB7A0E0700EB37F2E3668671A08|IMPHASH=13F08707F759AF6003837A150A371BA1|IMPHASH=1781F06048A7E58B323F0B9259BE798B|IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5|IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D|IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2|IMPHASH=713C29B396B907ED71A72482759ED757|IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F|IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E|IMPHASH=8B114550386E31895DFAB371E741123D|IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793|IMPHASH=9D68781980370E00E0BD939EE5E6C141|IMPHASH=B18A1401FF8F444056D29450FBC0A6CE|IMPHASH=CB567F9498452721D77A451374955F5F|IMPHASH=730073214094CD328547BF1F72289752|IMPHASH=17B461A082950FC6332228572138B80C|IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9|IMPHASH=819B19D53CA6736448F9325A85736792|IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E|IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74|IMPHASH=0588081AB0E63BA785938467E1B10CCA|IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C|IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29|IMPHASH=4DA924CF622D039D58BCE71CDF05D242|IMPHASH=E7A3A5C377E2D29324093377D7DB1C66|IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF|IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE|IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4|IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338|IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E|IMPHASH=E6F9D5152DA699934B30DAAB206471F6|IMPHASH=3AD59991CCF1D67339B319B15A41B35D|IMPHASH=FFDD59E0318B85A3E480874D9796D872|IMPHASH=0CF479628D7CC1EA25EC7998A92F5051|IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51|IMPHASH=D6D0F80386E1380D05CB78E871BC72B1|IMPHASH=38D9E015591BBFD4929E0D0F47FA0055|IMPHASH=0E2216679CA6E1094D63322E3412D650|IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB|IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798|IMPHASH=11083E75553BAAE21DC89CE8F9A195E4|IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80|IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F|IMPHASH=767637C23BB42CD5D7397CF58B0BE688|IMPHASH=14C4E4C72BA075E9069EE67F39188AD8|IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC|IMPHASH=7D010C6BB6A3726F327F7E239166D127|IMPHASH=89159BA4DD04E4CE5559F132A9964EB3|IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F|IMPHASH=5834ED4291BDEB928270428EBBAF7604|IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38|IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894|IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74|IMPHASH=3DE09703C8E79ED2CA3F01074719906B|IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F|IMPHASH=E96A73C7BF33A464C510EDE582318BF2|IMPHASH=32089B8851BBF8BC2D014E9F37288C83|IMPHASH=09D278F9DE118EF09163C6140255C690|IMPHASH=03866661686829d806989e2fc5a72606|IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d|IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE|IMPHASH=19584675D94829987952432E018D5056|IMPHASH=330768A4F172E10ACB6287B87289D83B|IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313|IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC|IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28|IMPHASH=96DF3A3731912449521F6F8D183279B1|IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46|IMPHASH=51791678F351C03A0EB4E2A7B05C6E17|IMPHASH=25CE42B079282632708FC846129E98A5|IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20|IMPHASH=59223B5F52D8799D38E0754855CBDF42|IMPHASH=81E75D8F1D276C156653D3D8813E4A43|IMPHASH=17244E8B6B8227E57FE709CCAD421420|IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4|IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C|IMPHASH=40445337761D80CF465136FAFB1F63E6|IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6|IMPHASH=B50199E952C875241B9CE06C971CE3C1</field>
    </rule>
    <rule id="901223" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1588.002</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Hacktool Execution - PE Metadata</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)Cube0x0</field>
    </rule>
    <rule id="901224" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>HackTool - GMER Rootkit Detector and Remover Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gmer\.exe)$</field>
    </rule>
    <rule id="901225" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>HackTool - GMER Rootkit Detector and Remover Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=E9DC058440D321AA17D0600B3CA0AB04|SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57|SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173</field>
    </rule>
    <rule id="901226" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>HackTool - GMER Rootkit Detector and Remover Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)e9dc058440d321aa17d0600b3ca0ab04</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)539c228b6b332f5aa523e5ce358c16647d8bbe57</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173</field>
    </rule>
    <rule id="901227" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz LSASS Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+loader\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-pid:</field>
    </rule>
    <rule id="901228" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz LSASS Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)38d9e015591bbfd4929e0d0f47fa0055|0e2216679ca6e1094d63322e3412d650</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=38D9E015591BBFD4929E0D0F47FA0055|IMPHASH=0E2216679CA6E1094D63322E3412D650</field>
    </rule>
    <rule id="901229" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz LSASS Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-pid:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-outfile:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp|lsass|\.obf|dump</field>
    </rule>
    <rule id="901230" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.002</id>
        </mitre>
        <description>HackTool - Hashcat Password Cracker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+hashcat\.exe)$</field>
    </rule>
    <rule id="901231" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.002</id>
        </mitre>
        <description>HackTool - Hashcat Password Cracker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-a\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-m\ 1000\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-r\ )</field>
    </rule>
    <rule id="901232" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
            <id>attack.s0040</id>
        </mitre>
        <description>HackTool - Htran/NATBypass Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+htran\.exe|\\+lcx\.exe)$</field>
    </rule>
    <rule id="901233" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
            <id>attack.s0040</id>
        </mitre>
        <description>HackTool - Htran/NATBypass Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ \-tran\ |\.exe\ \-slave\ )</field>
    </rule>
    <rule id="901234" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
            <id>attack.t1110.001</id>
        </mitre>
        <description>HackTool - Hydra Password Bruteforce Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\^USER\^|\^PASS\^</field>
    </rule>
    <rule id="901235" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>HackTool - Potential Impacket Lateral Movement Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wmiprvse\.exe|\\+mmc\.exe|\\+explorer\.exe|\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Q</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+127\.0\.0\.1\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;1</field>
    </rule>
    <rule id="901236" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>HackTool - Potential Impacket Lateral Movement Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)svchost\.exe\ \-k\ netsvcs|taskeng\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/C</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Windows\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;1</field>
    </rule>
    <rule id="901237" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>HackTool - Impacket Tools Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+goldenPac|\\+karmaSMB|\\+kintercept|\\+ntlmrelayx|\\+rpcdump|\\+samrdump|\\+secretsdump|\\+smbexec|\\+smbrelayx|\\+wmiexec|\\+wmipersist</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+atexec_windows\.exe|\\+dcomexec_windows\.exe|\\+dpapi_windows\.exe|\\+findDelegation_windows\.exe|\\+GetADUsers_windows\.exe|\\+GetNPUsers_windows\.exe|\\+getPac_windows\.exe|\\+getST_windows\.exe|\\+getTGT_windows\.exe|\\+GetUserSPNs_windows\.exe|\\+ifmap_windows\.exe|\\+mimikatz_windows\.exe|\\+netview_windows\.exe|\\+nmapAnswerMachine_windows\.exe|\\+opdump_windows\.exe|\\+psexec_windows\.exe|\\+rdp_check_windows\.exe|\\+sambaPipe_windows\.exe|\\+smbclient_windows\.exe|\\+smbserver_windows\.exe|\\+sniff_windows\.exe|\\+sniffer_windows\.exe|\\+split_windows\.exe|\\+ticketer_windows\.exe)$</field>
    </rule>
    <rule id="901238" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - Impersonate Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)impersonate\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ list\ |\ exec\ |\ adduser\ )</field>
    </rule>
    <rule id="901239" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - Impersonate Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=9520714AB576B0ED01D1513691377D01|SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A|IMPHASH=0A358FFC1697B7A07D0E817AC740DF62</field>
    </rule>
    <rule id="901240" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - Impersonate Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)9520714AB576B0ED01D1513691377D01</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)0A358FFC1697B7A07D0E817AC740DF62</field>
    </rule>
    <rule id="901241" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - Inveigh Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Inveigh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)\\+Inveigh\.exe|\\+Inveigh\.dll</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Inveigh</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-SpooferIP|\ \-ReplyToIPs\ |\ \-ReplyToDomains\ |\ \-ReplyToMACs\ |\ \-SnifferIP</field>
    </rule>
    <rule id="901242" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clipboard\]::</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="901243" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Obfuscated IEX Invocation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$env:ComSpec\[(\s*\d{1,3}\s*,){2}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).+mdr.+\W\s*\)\.Name</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$VerbosePreference\.ToString\(</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[String\]\s*\$VerbosePreference</field>
    </rule>
    <rule id="901244" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)"set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="901245" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader|readtoend\(</field>
    </rule>
    <rule id="901246" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)environment|invoke|input</field>
    </rule>
    <rule id="901247" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clip</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clipboard|invoke|i`|n`|v`|o`|k`|e`</field>
    </rule>
    <rule id="901248" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)$window\.close$</field>
    </rule>
    <rule id="901249" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\{0\}|\{1\}|\{2\}|\{3\}|\{4\}|\{5\}</field>
    </rule>
    <rule id="901250" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>HackTool - Jlaive In-Memory Assembly Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xcopy\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat\.exe</field>
    </rule>
    <rule id="901251" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>HackTool - Jlaive In-Memory Assembly Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xcopy\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)pwsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat\.exe</field>
    </rule>
    <rule id="901252" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>HackTool - Jlaive In-Memory Assembly Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+attrib\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\+s</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\+h</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat\.exe</field>
    </rule>
    <rule id="901253" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+KrbRelay\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)KrbRelay\.exe</field>
    </rule>
    <rule id="901254" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-spn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-clsid\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-rbcd\ )</field>
    </rule>
    <rule id="901255" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shadowcred</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clsid</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)spn</field>
    </rule>
    <rule id="901256" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:spn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:session\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:clsid\ )</field>
    </rule>
    <rule id="901257" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+KrbRelayUp\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)KrbRelayUp\.exe</field>
    </rule>
    <rule id="901258" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ relay\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-Domain\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ComputerName\ )</field>
    </rule>
    <rule id="901259" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ krbscm\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-sc\ )</field>
    </rule>
    <rule id="901260" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ spawn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-cn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-cp\ )</field>
    </rule>
    <rule id="901261" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+LocalPotato\.exe)$</field>
    </rule>
    <rule id="901262" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-i\ C:\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-o\ Windows\\+</field>
    </rule>
    <rule id="901263" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=E1742EE971D6549E8D4D81115F88F1FC|IMPHASH=DD82066EFBA94D7556EF582F247C8BB5</field>
    </rule>
    <rule id="901264" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)E1742EE971D6549E8D4D81115F88F1FC|DD82066EFBA94D7556EF582F247C8BB5</field>
    </rule>
    <rule id="901265" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Potential Meterpreter/CobaltStrike Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+pipe\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd|%COMSPEC%</field>
    </rule>
    <rule id="901266" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Potential Meterpreter/CobaltStrike Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dll,a</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/p:</field>
    </rule>
    <rule id="901267" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Potential Meterpreter/CobaltStrike Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)MpCmdRun</field>
    </rule>
    <rule id="901268" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>HackTool - Mimikatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DumpCreds|mimikatz</field>
    </rule>
    <rule id="901269" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>HackTool - Mimikatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::aadcookie|::detours|::memssp|::mflt|::ncroutemon|::ngcsign|::printnightmare|::skeleton|::preshutdown|::mstsc|::multirdp</field>
    </rule>
    <rule id="901270" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>HackTool - Mimikatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rpc::|token::|crypto::|dpapi::|sekurlsa::|kerberos::|lsadump::|privilege::|process::|vault::</field>
    </rule>
    <rule id="901271" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PCHunter64\.exe|\\+PCHunter32\.exe)$</field>
    </rule>
    <rule id="901272" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PCHunter\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Epoolsoft\ Windows\ Information\ View\ Tools</field>
    </rule>
    <rule id="901273" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA1=5F1CBC3D99558307BC1250D084FA968521482025|MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7|SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32|IMPHASH=444D210CEA1FF8112F256A4997EED7FF|SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB|MD5=228DD0C2E6287547E26FFBD973A40F14|SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C|IMPHASH=0479F44DF47CFA2EF1CCC4416A538663</field>
    </rule>
    <rule id="901274" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)228dd0c2e6287547e26ffbd973a40f14|987b65cd9b9f4e9a1afd8f8b48cf64a7</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)5f1cbc3d99558307bc1250d084fa968521482025|3fb89787cb97d902780da080545584d97fb1c2eb</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32|55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)444d210cea1ff8112f256a4997eed7ff|0479f44df47cfa2ef1ccc4416a538663</field>
    </rule>
    <rule id="901275" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.s0111</id>
            <id>attack.g0022</id>
            <id>attack.g0060</id>
            <id>car.2013-08-001</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Default PowerSploit/Empire Scheduled Task Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell\.exe\ \-NonI</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/TN\ Updater\ /TR</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/SC\ ONLOGON|/SC\ DAILY\ /ST|/SC\ ONIDLE|/SC\ HOURLY</field>
    </rule>
    <rule id="901276" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>HackTool - PowerTool Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PowerTool\.exe|\\+PowerTool64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerTool\.exe</field>
    </rule>
    <rule id="901277" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1587</id>
            <id>attack.resource_development</id>
        </mitre>
        <description>HackTool - PurpleSharp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+purplesharp</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PurpleSharp\.exe</field>
    </rule>
    <rule id="901278" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1587</id>
            <id>attack.resource_development</id>
        </mitre>
        <description>HackTool - PurpleSharp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)xyz123456\.exe|PurpleSharp</field>
    </rule>
    <rule id="901279" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>HackTool - Pypykatz Credentials Dumping Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pypykatz\.exe|\\+python\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)live</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)registry</field>
    </rule>
    <rule id="901280" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>HackTool - Quarks PwDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+QuarksPwDump\.exe)$</field>
    </rule>
    <rule id="901281" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>HackTool - Quarks PwDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-dhl|\ \-\-dump\-hash\-local|\ \-dhdc|\ \-\-dump\-hash\-domain\-cached|\ \-\-dump\-bitlocker|\ \-dhd\ |\ \-\-dump\-hash\-domain\ |\-\-ntds\-file</field>
    </rule>
    <rule id="901282" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1106</id>
            <id>attack.t1059.003</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>HackTool - RedMimicry Winnti Playbook Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)gthread\-3\.6\.dll|\\+Windows\\+Temp\\+tmp\.bat|sigcmm\-2\.4\.dll</field>
    </rule>
    <rule id="901283" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)PetitPotam|RottenPotato|HotPotato|JuicyPotato|\\+just_dce_|Juicy\ Potato|\\+temp\\+rot\.exe|\\+Potato\.exe|\\+SpoolSample\.exe|\\+Responder\.exe|\\+smbrelayx|\\+ntlmrelayx|\\+LocalPotato</field>
    </rule>
    <rule id="901284" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Invoke\-Tater|\ smbrelay|\ ntlmrelay|cme\ smb\ |\ /ntlm:NTLMhash\ |Invoke\-PetitPotam|\.exe\ \-t\ .+\ \-p\ )</field>
    </rule>
    <rule id="901285" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-c\ "\{</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\}"\ \-z)$</field>
    </rule>
    <rule id="901286" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)HotPotatoes6</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)HotPotatoes7</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:HotPotatoes\ )</field>
    </rule>
    <rule id="901287" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - Rubeus Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Rubeus\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Rubeus\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Rubeus</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)asreproast\ |dump\ /service:krbtgt\ |dump\ /luid:0x|kerberoast\ |createnetonly\ /program:|ptt\ /ticket:|/impersonateuser:|renew\ /ticket:|asktgt\ /user:|harvest\ /interval:|s4u\ /user:|s4u\ /ticket:|hash\ /password:|golden\ /aes256:|silver\ /user:</field>
    </rule>
    <rule id="901288" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - SafetyKatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SafetyKatz\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SafetyKatz\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)SafetyKatz</field>
    </rule>
    <rule id="901289" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>HackTool - SecurityXploded Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)SecurityXploded</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:PasswordDump\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)(?:PasswordDump\.exe)$</field>
    </rule>
    <rule id="901290" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.004</id>
        </mitre>
        <description>HackTool - PPID Spoofing SelectMyParent Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SelectMyParent\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:PPID\-spoof|ppid_spoof|spoof\-ppid|spoof_ppid|ppidspoof|spoofppid|spoofedppid|\ \-spawnto\ )</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PPID\-spoof|ppid_spoof|spoof\-ppid|spoof_ppid|ppidspoof|spoofppid|spoofedppid</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)SelectMyParent</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)04d974875bd225f00902b4cad9af3fbc|a782af154c9e743ddf3f3eb2b8f3d16e|89059503d7fbf470e68f7e63313da3ad|ca28337632625c8281ab8a130b3d6bad</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=04D974875BD225F00902B4CAD9AF3FBC|IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E|IMPHASH=89059503D7FBF470E68F7E63313DA3AD|IMPHASH=CA28337632625C8281AB8A130B3D6BAD</field>
    </rule>
    <rule id="901291" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharPersist\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)SharPersist</field>
    </rule>
    <rule id="901292" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ schtask\ \-c\ |\ \-t\ startupfolder\ \-c\ )</field>
    </rule>
    <rule id="901293" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ reg\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m\ add</field>
    </rule>
    <rule id="901294" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ service\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m\ add</field>
    </rule>
    <rule id="901295" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ schtask\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m\ add</field>
    </rule>
    <rule id="901296" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SharpEvtMute Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpEvtMute\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)SharpEvtMute</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-Filter\ "rule\ |\-\-Encoded\ \-\-Filter\ \\+"</field>
    </rule>
    <rule id="901297" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>HackTool - SharpLdapWhoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpLdapWhoami\.exe)$</field>
    </rule>
    <rule id="901298" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>HackTool - SharpLdapWhoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SharpLdapWhoami</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)SharpLdapWhoami</field>
    </rule>
    <rule id="901299" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>HackTool - SharpLdapWhoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /method:ntlm|\ /method:kerb|\ /method:nego|\ /m:nego|\ /m:ntlm|\ /m:kerb)$</field>
    </rule>
    <rule id="901300" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>HackTool - SharpMove Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpMove\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SharpMove\.exe</field>
    </rule>
    <rule id="901301" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1615</id>
            <id>attack.t1569.002</id>
            <id>attack.t1574.005</id>
        </mitre>
        <description>HackTool - SharpUp PrivEsc Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpUp\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)SharpUp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HijackablePaths|UnquotedServicePath|ProcessDLLHijack|ModifiableServiceBinaries|ModifiableScheduledTask|DomainGPPPassword|CachedGPPPassword</field>
    </rule>
    <rule id="901302" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1049</id>
            <id>attack.t1069.002</id>
            <id>attack.t1482</id>
            <id>attack.t1135</id>
            <id>attack.t1033</id>
        </mitre>
        <description>HackTool - SharpView Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SharpView\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpView\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-RemoteConnection|Convert\-ADName|ConvertFrom\-SID|ConvertFrom\-UACValue|Convert\-SidToName|Export\-PowerViewCSV|Find\-DomainObjectPropertyOutlier|Find\-DomainProcess|Find\-DomainShare|Find\-DomainUserEvent|Find\-DomainUserLocation|Find\-ForeignGroup|Find\-ForeignUser|Find\-GPOComputerAdmin|Find\-GPOLocation|Find\-Interesting|Find\-LocalAdminAccess|Find\-ManagedSecurityGroups|Get\-CachedRDPConnection|Get\-DFSshare|Get\-DomainComputer|Get\-DomainController|Get\-DomainDFSShare|Get\-DomainDNSRecord|Get\-DomainFileServer|Get\-DomainForeign|Get\-DomainGPO|Get\-DomainGroup|Get\-DomainGUIDMap|Get\-DomainManagedSecurityGroup|Get\-DomainObject|Get\-DomainOU|Get\-DomainPolicy|Get\-DomainSID|Get\-DomainSite|Get\-DomainSPNTicket|Get\-DomainSubnet|Get\-DomainTrust|Get\-DomainUserEvent|Get\-ForestDomain|Get\-ForestGlobalCatalog|Get\-ForestTrust|Get\-GptTmpl|Get\-GroupsXML|Get\-LastLoggedOn|Get\-LoggedOnLocal|Get\-NetComputer|Get\-NetDomain|Get\-NetFileServer|Get\-NetForest|Get\-NetGPO|Get\-NetGroupMember|Get\-NetLocalGroup|Get\-NetLoggedon|Get\-NetOU|Get\-NetProcess|Get\-NetRDPSession|Get\-NetSession|Get\-NetShare|Get\-NetSite|Get\-NetSubnet|Get\-NetUser|Get\-PathAcl|Get\-PrincipalContext|Get\-RegistryMountedDrive|Get\-RegLoggedOn|Get\-WMIRegCachedRDPConnection|Get\-WMIRegLastLoggedOn|Get\-WMIRegMountedDrive|Get\-WMIRegProxy|Invoke\-ACLScanner|Invoke\-CheckLocalAdminAccess|Invoke\-Kerberoast|Invoke\-MapDomainTrust|Invoke\-RevertToSelf|Invoke\-Sharefinder|Invoke\-UserImpersonation|Remove\-DomainObjectAcl|Remove\-RemoteConnection|Request\-SPNTicket|Set\-DomainObject|Test\-AdminAccess</field>
    </rule>
    <rule id="901303" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>HackTool - SharpChisel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpChisel\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)SharpChisel</field>
    </rule>
    <rule id="901304" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - SharpImpersonation Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpImpersonation\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SharpImpersonation\.exe</field>
    </rule>
    <rule id="901305" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - SharpImpersonation Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ user:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ binary:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ user:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ shellcode:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ technique:CreateProcessAsUserW|\ technique:ImpersonateLoggedOnuser</field>
    </rule>
    <rule id="901306" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>HackTool - SharpLDAPmonitor Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpLDAPmonitor\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SharpLDAPmonitor\.exe</field>
    </rule>
    <rule id="901307" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>HackTool - SharpLDAPmonitor Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/user:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/pass:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/dcip:</field>
    </rule>
    <rule id="901308" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071</id>
        </mitre>
        <description>HackTool - SILENTTRINITY Stager Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)st2stager</field>
    </rule>
    <rule id="901309" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>HackTool - Sliver C2 Implant Activity Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-NoExit\ \-Command\ \[Console\]::OutputEncoding=\[Text\.UTF8Encoding\]::UTF8</field>
    </rule>
    <rule id="901310" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>HackTool - Stracciatella Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Stracciatella\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Stracciatella\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Stracciatella</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956|SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956|fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a</field>
    </rule>
    <rule id="901311" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2022.41120</id>
            <id>attack.t1068</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>HackTool - SysmonEOP Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SysmonEOP\.exe)$</field>
    </rule>
    <rule id="901312" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2022.41120</id>
            <id>attack.t1068</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>HackTool - SysmonEOP Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5|IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)22f4089eb8aba31e1bb162c6d9bf72e5|5123fa4c4384d431cd0d893eeb49bbec</field>
    </rule>
    <rule id="901313" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
        </mitre>
        <description>HackTool - TruffleSnout Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)TruffleSnout\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+TruffleSnout\.exe)$</field>
    </rule>
    <rule id="901314" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)UACMe</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)REvol\ Corp|APT\ 92|UG\ North|Hazardous\ Environments|CD\ Project\ Rekt</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)UACMe\ main\ module|Pentesting\ utility</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Akagi\.exe|Akagi64\.exe</field>
    </rule>
    <rule id="901315" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Akagi64\.exe|\\+Akagi\.exe)$</field>
    </rule>
    <rule id="901316" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=767637C23BB42CD5D7397CF58B0BE688|IMPHASH=14C4E4C72BA075E9069EE67F39188AD8|IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC|IMPHASH=7D010C6BB6A3726F327F7E239166D127|IMPHASH=89159BA4DD04E4CE5559F132A9964EB3|IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F|IMPHASH=5834ED4291BDEB928270428EBBAF7604|IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38|IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894|IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74|IMPHASH=3DE09703C8E79ED2CA3F01074719906B</field>
    </rule>
    <rule id="901317" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)767637c23bb42cd5d7397cf58b0be688|14c4e4c72ba075e9069ee67f39188ad8|3c782813d4afce07bbfc5a9772acdbdc|7d010c6bb6a3726f327f7e239166d127|89159ba4dd04e4ce5559f132a9964eb3|6f33f4a5fc42b8cec7314947bd13f30f|5834ed4291bdeb928270428ebbaf7604|5a8a8a43f25485e7ee1b201edcbc7a38|dc7d30b90b2d8abf664fbed2b1b59894|41923ea1f824fe63ea5beb84db7a3e74|3de09703c8e79ed2ca3f01074719906b</field>
    </rule>
    <rule id="901318" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>HackTool - Windows Credential Editor (WCE) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)a53a02b997935fd8eedcb5f7abab9b9f|e96a73c7bf33a464c510ede582318bf2</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f|IMPHASH=e96a73c7bf33a464c510ede582318bf2</field>
    </rule>
    <rule id="901319" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>HackTool - Windows Credential Editor (WCE) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ \-S)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
    </rule>
    <rule id="901320" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>HackTool - Windows Credential Editor (WCE) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+clussvc\.exe)$</field>
    </rule>
    <rule id="901321" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)winPEAS\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winPEASany_ofs\.exe|\\+winPEASany\.exe|\\+winPEASx64_ofs\.exe|\\+winPEASx64\.exe|\\+winPEASx86_ofs\.exe|\\+winPEASx86\.exe)$</field>
    </rule>
    <rule id="901322" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ applicationsinfo|\ browserinfo|\ eventsinfo|\ fileanalysis|\ filesinfo|\ processinfo|\ servicesinfo|\ windowscreds</field>
    </rule>
    <rule id="901323" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https://github\.com/carlospolop/PEASS\-ng/releases/latest/download/</field>
    </rule>
    <rule id="901324" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\ \-linpeas)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-linpeas)$</field>
    </rule>
    <rule id="901325" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1046</id>
            <id>attack.t1082</id>
            <id>attack.t1106</id>
            <id>attack.t1518</id>
            <id>attack.t1548.002</id>
            <id>attack.t1552.001</id>
            <id>attack.t1555</id>
            <id>attack.t1555.003</id>
        </mitre>
        <description>HackTool - WinPwn Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Offline_Winpwn|WinPwn\ |WinPwn\.exe|WinPwn\.ps1</field>
    </rule>
    <rule id="901326" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>HackTool - Wmiexec Default Powershell Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-NoP\ \-NoL\ \-sta\ \-NonI\ \-W\ Hidden\ \-Exec\ Bypass\ \-Enc</field>
    </rule>
    <rule id="901327" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - XORDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xordump\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-process\ lsass\.exe\ |\ \-m\ comsvcs\ |\ \-m\ dbghelp\ |\ \-m\ dbgcore\ )</field>
    </rule>
    <rule id="901328" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious ZipExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/generic:Microsoft_Windows_Shell_ZipFolder:filename=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.zip</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/pass:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/user:</field>
    </rule>
    <rule id="901329" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious ZipExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.zip</field>
    </rule>
    <rule id="901330" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Execution of Hostname</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+HOSTNAME\.EXE)$</field>
    </rule>
    <rule id="901331" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.t1059.003</id>
            <id>attack.g0032</id>
        </mitre>
        <description>Suspicious HWP Sub Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Hwp\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gbb\.exe)$</field>
    </rule>
    <rule id="901332" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Fake Instance Of Hxtsr.EXE Executed</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+hxtsr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+program\ files\\+windowsapps\\+microsoft\.windowscommunicationsapps_</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+hxtsr\.exe)$</field>
    </rule>
    <rule id="901333" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Microsoft IIS Service Account Password Dumped</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+appcmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)appcmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:list\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /config|\ /xml|\ \-config|\ \-xml</field>
    </rule>
    <rule id="901334" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>IIS Native-Code Module Command Line Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+appcmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)appcmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)install</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)module</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-name:</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+inetsrv\\+iissetup\.exe</field>
    </rule>
    <rule id="901335" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.004</id>
        </mitre>
        <description>Suspicious IIS Module Registration</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)appcmd\.exe\ add\ module</field>
    </rule>
    <rule id="901336" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.004</id>
        </mitre>
        <description>Suspicious IIS Module Registration</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ system\.enterpriseservices\.internal\.publish</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
    </rule>
    <rule id="901337" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.004</id>
        </mitre>
        <description>Suspicious IIS Module Registration</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)gacutil</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /I</field>
    </rule>
    <rule id="901338" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>ImagingDevices Unusual Parent/Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe|\\+svchost\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ImagingDevices\.exe)$</field>
    </rule>
    <rule id="901339" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>ImagingDevices Unusual Parent/Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ImagingDevices\.exe)$</field>
    </rule>
    <rule id="901340" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>InfDefaultInstall.exe .inf Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:InfDefaultInstall\.exe\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.inf</field>
    </rule>
    <rule id="901341" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Execution of InstallUtil Without Log</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+InstallUtil\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)Microsoft\.NET\\+Framework</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/logfile=\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/LogToConsole=false</field>
    </rule>
    <rule id="901342" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Shells Spawn by Java Utility Keytool</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+keytool\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+sh\.exe|\\+bash\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+schtasks\.exe|\\+certutil\.exe|\\+whoami\.exe|\\+bitsadmin\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+scrcons\.exe|\\+regsvr32\.exe|\\+hh\.exe|\\+wmic\.exe|\\+mshta\.exe|\\+rundll32\.exe|\\+forfiles\.exe|\\+scriptrunner\.exe|\\+mftrace\.exe|\\+AppVLP\.exe|\\+systeminfo\.exe|\\+reg\.exe|\\+query\.exe)$</field>
    </rule>
    <rule id="901343" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Suspicious Child Process Of Manage Engine ServiceDesk</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+ManageEngine\\+ServiceDesk\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+java\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+calc\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+mftrace\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+notepad\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+query\.exe|\\+reg\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+sh\.exe|\\+systeminfo\.exe|\\+whoami\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ stop</field>
    </rule>
    <rule id="901344" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1203</id>
            <id>attack.execution</id>
        </mitre>
        <description>Java Running with Remote Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)transport=dt_socket,address=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)jre1\.|jdk1\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)address=127\.0\.0\.1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)address=localhost</field>
    </rule>
    <rule id="901345" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Processes Spawned by Java.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bitsadmin\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+mftrace\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+query\.exe|\\+reg\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+systeminfo\.exe|\\+whoami\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901346" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Shell Process Spawned by Java.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)build</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)build</field>
    </rule>
    <rule id="901347" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
        </mitre>
        <description>Suspicious SysAidServer Child</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)SysAidServer</field>
    </rule>
    <rule id="901348" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_kd_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Windows Kernel Debugger Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+kd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)kd\.exe</field>
    </rule>
    <rule id="901349" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Active Directory Structure Export Via Ldifde.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ldifde\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ldifde\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-i</field>
    </rule>
    <rule id="901350" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Custom Class Execution via Xwizard</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xwizard\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}</field>
    </rule>
    <rule id="901351" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567</id>
        </mitre>
        <description>Suspicious ConfigSecurityPolicy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ConfigSecurityPolicy\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ConfigSecurityPolicy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ConfigSecurityPolicy\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https://|http://|ftp://</field>
    </rule>
    <rule id="901352" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Suspicious CustomShellHost Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+CustomShellHost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
    </rule>
    <rule id="901353" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055.001</id>
        </mitre>
        <description>ZOHO Dctask64 Process Injection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dctask64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)DesktopCentral_Agent\\+agent</field>
    </rule>
    <rule id="901354" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Lolbin Defaultpack.exe Use As Proxy</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+defaultpack\.exe)$</field>
    </rule>
    <rule id="901355" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>DeviceCredentialDeployment Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DeviceCredentialDeployment\.exe)$</field>
    </rule>
    <rule id="901356" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Devtoolslauncher.exe Executes Specified Binary</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+devtoolslauncher\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchForDeploy</field>
    </rule>
    <rule id="901357" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Suspicious Diantz Alternate Data Stream Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)diantz\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):[^\\+]</field>
    </rule>
    <rule id="901358" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Diantz Download and Compress Into a CAB File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)diantz\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
    </rule>
    <rule id="901359" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Xwizard DLL Sideloading</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xwizard\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
    </rule>
    <rule id="901360" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Application Whitelisting Bypass via Dnx.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dnx\.exe)$</field>
    </rule>
    <rule id="901361" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Dump64.exe Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Installer\\+Feedback\\+dump64\.exe</field>
    </rule>
    <rule id="901362" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Dump64.exe Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dump64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-ma\ |accepteula</field>
    </rule>
    <rule id="901363" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious Extexport Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Extexport\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Extexport\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)extexport\.exe</field>
    </rule>
    <rule id="901364" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Suspicious Extrac32 Alternate Data Stream Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)extrac32\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):[^\\+]</field>
    </rule>
    <rule id="901365" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Format.com FileSystem LOLBIN</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+format\.com)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/fs:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:FAT</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:exFAT</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:NTFS</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:UDF</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:ReFS</field>
    </rule>
    <rule id="901366" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Use of FSharp Interpreters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fsianycpu\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)fsianycpu\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fsi\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)fsi\.exe</field>
    </rule>
    <rule id="901367" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>LOLBIN Execution Of The FTP.EXE Binary</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ftp\.exe)$</field>
    </rule>
    <rule id="901368" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Gpscript Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)GPSCRIPT\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /logon|\ /startup</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+windows\\+system32\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ gpsvc</field>
    </rule>
    <rule id="901369" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Ie4uinit Lolbin Use From Invalid Path</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ie4uinit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)IE4UINIT\.EXE</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)c:\\+windows\\+system32\\+</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)c:\\+windows\\+sysWOW64\\+</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901370" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Ilasm Lolbin Use Compile C-Sharp</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ilasm\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ilasm\.exe</field>
    </rule>
    <rule id="901371" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>JSC Convert Javascript To Executable</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+jsc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.js</field>
    </rule>
    <rule id="901372" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Kavremover Dropped Binary LOLBIN Usage</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ run\ run\-cmd\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+kavremover\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cleanapi\.exe)$</field>
    </rule>
    <rule id="901373" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Potential Manage-bde.wsf Abuse To Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wscript\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)manage\-bde\.wsf</field>
    </rule>
    <rule id="901374" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Potential Manage-bde.wsf Abuse To Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)manage\-bde\.wsf</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
    </rule>
    <rule id="901375" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.001</id>
            <id>attack.t1218.013</id>
        </mitre>
        <description>Mavinject Inject DLL Into Running Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /INJECTRUNNING\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+AppVClient\.exe</field>
    </rule>
    <rule id="901376" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execute Files with Msdeploy.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)verb:sync</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-source:RunCommand</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-dest:runCommand</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdeploy\.exe)$</field>
    </rule>
    <rule id="901377" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Execute MSDT Via Answer File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+WINDOWS\\+diagnostics\\+index\\+PCWDiagnostic\.xml</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-af\ |\ /af\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+pcwrun\.exe)$</field>
    </rule>
    <rule id="901378" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Use of OpenConsole</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)OpenConsole\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OpenConsole\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.WindowsTerminal)</field>
    </rule>
    <rule id="901379" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>OpenWith.exe Executes Specified Binary</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OpenWith\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
    </rule>
    <rule id="901380" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Use of Pcalua For Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pcalua\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-a</field>
    </rule>
    <rule id="901381" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Indirect Command Execution By Program Compatibility Wizard</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+pcwrun\.exe)$</field>
    </rule>
    <rule id="901382" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Execute Pcwrun.EXE To Leverage Follina</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pcwrun\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.\./</field>
    </rule>
    <rule id="901383" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Execute Code with Pester.bat</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Pester</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Help</field>
    </rule>
    <rule id="901384" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Execute Code with Pester.bat</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)pester</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i);</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)help|\\+.</field>
    </rule>
    <rule id="901385" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>PrintBrm ZIP Creation of Extraction</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PrintBrm\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.zip</field>
    </rule>
    <rule id="901386" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216.001</id>
        </mitre>
        <description>Pubprn.vbs Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+pubprn\.vbs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)script:</field>
    </rule>
    <rule id="901387" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>REGISTER_APP.VBS Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+register_app\.vbs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-register</field>
    </rule>
    <rule id="901388" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Use of Remote.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+remote\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)remote\.exe</field>
    </rule>
    <rule id="901389" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Replace.exe Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+replace\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-a</field>
    </rule>
    <rule id="901390" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Lolbin Runexehelper Use As Proxy</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+runexehelper\.exe)$</field>
    </rule>
    <rule id="901391" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Runscripthelper.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Runscripthelper\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)surfacecheck</field>
    </rule>
    <rule id="901392" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Use of Setres.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+setres\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+choice)$</field>
    </rule>
    <rule id="901393" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.008</id>
        </mitre>
        <description>Using SettingSyncHost.exe as LOLBin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /c</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)RoamDiag\.cmd</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-outputpath</field>
    </rule>
    <rule id="901394" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Use Of The SFTP.EXE Binary As A LOLBIN</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sftp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-D\ \.\.|\ \-D\ C:\\+</field>
    </rule>
    <rule id="901395" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Sideloading Link.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+link\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LINK\ /</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+VC\\+Tools\\+MSVC\\+</field>
    </rule>
    <rule id="901396" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Suspicious Sigverif Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sigverif\.exe)$</field>
    </rule>
    <rule id="901397" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Lolbin Ssh.exe Use As Proxy</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+OpenSSH\\+sshd\.exe</field>
    </rule>
    <rule id="901398" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Suspicious Driver Install by pnputil.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-i|/install|\-a|/add\-driver|\.inf</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pnputil\.exe)$</field>
    </rule>
    <rule id="901399" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Suspicious GrpConv Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)grpconv\.exe\ \-o|grpconv\ \-o</field>
    </rule>
    <rule id="901400" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Dumping Process via Sqldumper.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sqldumper\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0x0110|0x01100:40</field>
    </rule>
    <rule id="901401" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1216</id>
        </mitre>
        <description>SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+SyncAppvPublishingServer\.vbs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i);</field>
    </rule>
    <rule id="901402" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055.001</id>
        </mitre>
        <description>Potential DLL Injection Or Execution Using Tracker.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tracker\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Tracker</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /d\ |\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /ERRORREPORT:PROMPT\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Msbuild\\+Current\\+Bin\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Msbuild\\+Current\\+Bin\\+amd64\\+MSBuild\.exe)$</field>
    </rule>
    <rule id="901403" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Use of TTDInject.exe</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:ttdinject\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)TTDInject\.EXE</field>
    </rule>
    <rule id="901404" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1218</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Time Travel Debugging Utility Usage</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+tttracer\.exe)$</field>
    </rule>
    <rule id="901405" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_type.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Potential Download/Upload Activity Using Type Command</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:type\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ &gt;\ \\+</field>
    </rule>
    <rule id="901406" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_type.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Potential Download/Upload Activity Using Type Command</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)type\ \\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ &gt;\ )</field>
    </rule>
    <rule id="901407" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>UtilityFunctions.ps1 Proxy Dll</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:UtilityFunctions\.ps1|RegSnapin\ )</field>
    </rule>
    <rule id="901408" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Use of VisualUiaVerifyNative.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VisualUiaVerifyNative\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)VisualUiaVerifyNative\.exe</field>
    </rule>
    <rule id="901409" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Visual Basic Command Line Compiler Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+vbc\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cvtres\.exe)$</field>
    </rule>
    <rule id="901410" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Use of Wfc.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wfc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wfc\.exe</field>
    </rule>
    <rule id="901411" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1127</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Microsoft Workflow Compiler Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.Workflow\.Compiler\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Microsoft\.Workflow\.Compiler\.exe</field>
    </rule>
    <rule id="901412" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via LSASS Process Clone</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Windows\\+System32\\+lsass\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Windows\\+System32\\+lsass\.exe)$</field>
    </rule>
    <rule id="901413" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Potential Mftrace.EXE Abuse</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+mftrace\.exe)$</field>
    </rule>
    <rule id="901414" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>MMC20 Lateral Movement</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mmc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Embedding</field>
    </rule>
    <rule id="901415" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Suspicious Mofcomp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mofcomp\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)mofcomp\.exe</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp|\\+Users\\+Public\\+|\\+WINDOWS\\+Temp\\+|%temp%|%tmp%|%appdata%</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.mof)$</field>
    </rule>
    <rule id="901416" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Suspicious Mofcomp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mofcomp\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)mofcomp\.exe</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp|\\+Users\\+Public\\+|\\+WINDOWS\\+Temp\\+|%temp%|%tmp%|%appdata%</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.mof)$</field>
    </rule>
    <rule id="901417" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Mpclient.DLL Sideloading Via Defender Binaries</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MpCmdRun\.exe|\\+NisSrv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Security\ Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="901418" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Msbuild Execution By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)MSBuild\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+devenv\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msbuild\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+python\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+nuget\.exe)$</field>
    </rule>
    <rule id="901419" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potential Arbitrary Command Execution Using Msdt.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)msdt\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)IT_BrowseForFile=</field>
    </rule>
    <rule id="901420" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Wscript Shell Run In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Wscript\.</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.Shell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.Run</field>
    </rule>
    <rule id="901421" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
        </mitre>
        <description>Potential LethalHTA Technique Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
    </rule>
    <rule id="901422" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1218.005</id>
            <id>attack.execution</id>
            <id>attack.t1059.007</id>
            <id>cve.2020.1599</id>
        </mitre>
        <description>MSHTA Suspicious Execution 01</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)vbscript|\.jpg|\.png|\.lnk|\.xls|\.doc|\.zip|\.dll</field>
    </rule>
    <rule id="901423" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Suspicious Mshta.EXE Execution Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)MSHTA\.EXE</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+|C:\\+ProgramData\\+|C:\\+Users\\+Public\\+|C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901424" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Suspicious Mshta.EXE Execution Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)MSHTA\.EXE</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.htm</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.hta</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:mshta\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:mshta)$</field>
    </rule>
    <rule id="901425" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218.007</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious MsiExec Embedding Parent</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)MsiExec\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\-Embedding\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+SplunkUniversalForwarder\\+bin\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+DismFoDInstall\.cmd</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)(?:\\+MsiExec\.exe\ \-Embedding\ )</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)Global\\+MSI0000</field>
    </rule>
    <rule id="901426" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>Suspicious Msiexec Execute Arbitrary DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\ \-y</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\ $x86$\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+ScriptingObjectModel\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+SoftwareUpdateAdmin\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ C:\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\ $x86$\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+ScriptingObjectModel\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+SoftwareUpdateAdmin\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ C:\\+Windows\\+CCM\\+</field>
    </rule>
    <rule id="901427" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>Msiexec Quiet Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)msiexec\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-i|\-package|\-a|\-j</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-q</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+CCM\\+Ccm32BitLauncher\.exe</field>
        <field name="win.eventdata.integrityLevel" negate="yes" type="pcre2">(?i)System</field>
    </rule>
    <rule id="901428" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Potential MsiExec Masquerading</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)\\+msiexec\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="901429" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>MsiExec Web Install</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ msiexec</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://</field>
    </rule>
    <rule id="901430" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Potential Process Injection Via Msra.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+msra\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:msra\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+arp\.exe|\\+cmd\.exe|\\+net\.exe|\\+netstat\.exe|\\+nslookup\.exe|\\+route\.exe|\\+schtasks\.exe|\\+whoami\.exe)$</field>
    </rule>
    <rule id="901431" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Detection of PowerShell Execution via Sqlps.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlps\.exe)$</field>
    </rule>
    <rule id="901432" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Detection of PowerShell Execution via Sqlps.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sqlps\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sqlps\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+sqlagent\.exe)$</field>
    </rule>
    <rule id="901433" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>SQL Client Tools PowerShell Session Detection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sqltoolsps\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqltoolsps\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)\\+sqltoolsps\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+smss\.exe)$</field>
    </rule>
    <rule id="901434" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Child Process Of SQL Server</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+bitsadmin\.exe|\\+cmd\.exe|\\+netstat\.exe|\\+nltest\.exe|\\+ping\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+sh\.exe|\\+systeminfo\.exe|\\+tasklist\.exe|\\+wsl\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ SQL\ Server\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:DATEV_DBENGINE\\+MSSQL\\+Binn\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+cmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+cmd\.exe"\ )</field>
    </rule>
    <rule id="901435" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Child Process Of Veeam Dabatase</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)VEEAMSQL</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+wt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-ex\ |bypass|cscript|DownloadString|http://|https://|mshta|regsvr32|rundll32|wscript|copy\ )</field>
    </rule>
    <rule id="901436" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Child Process Of Veeam Dabatase</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)VEEAMSQL</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe|\\+netstat\.exe|\\+nltest\.exe|\\+ping\.exe|\\+tasklist\.exe|\\+whoami\.exe)$</field>
    </rule>
    <rule id="901437" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1563.002</id>
        </mitre>
        <description>Potential MSTSC Shadowing Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)noconsentprompt</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shadow:</field>
    </rule>
    <rule id="901438" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>New Remote Desktop Connection Initiated Via Mstsc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)mstsc\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /v:</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+lxss\\+wslhost\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+WSL\\+wslg\.rdp</field>
    </rule>
    <rule id="901439" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Mstsc.EXE Execution With Local RDP File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)mstsc\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.rdp|\.rdp")$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+lxss\\+wslhost\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+WSL\\+wslg\.rdp</field>
    </rule>
    <rule id="901440" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>Msxsl.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msxsl\.exe)$</field>
    </rule>
    <rule id="901441" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>Remote XSL Execution Via Msxsl.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msxsl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="901442" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
            <id>attack.s0246</id>
        </mitre>
        <description>New Firewall Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)netsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ firewall\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)advfirewall\ firewall\ add\ rule\ name=Dropbox\ dir=in\ action=allow\ "program=.:\\+Program\ Files\ $x86$\\+Dropbox\\+Client\\+Dropbox\.exe"\ enable=yes\ profile=Any</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)advfirewall\ firewall\ add\ rule\ name=Dropbox\ dir=in\ action=allow\ "program=.:\\+Program\ Files\\+Dropbox\\+Client\\+Dropbox\.exe"\ enable=yes\ profile=Any</field>
    </rule>
    <rule id="901443" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Firewall Rule Deleted Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)netsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)firewall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:delete\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Dropbox\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)name=Dropbox</field>
    </rule>
    <rule id="901444" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
            <id>attack.s0108</id>
        </mitre>
        <description>Firewall Disabled via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)netsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)firewall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)opmode</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)disable</field>
    </rule>
    <rule id="901445" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
            <id>attack.s0108</id>
        </mitre>
        <description>Firewall Disabled via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)netsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)advfirewall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)state</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)off</field>
    </rule>
    <rule id="901446" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New Port Forwarding Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)netsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)interface</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)portproxy</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)v4tov4</field>
    </rule>
    <rule id="901447" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New Port Forwarding Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)netsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:i\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:a\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:v\ )</field>
    </rule>
    <rule id="901448" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New Port Forwarding Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)netsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)connectp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)listena</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)c=</field>
    </rule>
    <rule id="901449" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>Suspicious Group And Account Reconnaissance Activity Using Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)net\.exe|net1\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ group\ |\ localgroup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)domain\ admins|\ administrator|\ administrateur|enterprise\ admins|Exchange\ Trusted\ Subsystem|Remote\ Desktop\ Users|Utilisateurs\ du\ Bureau\ Г \ distance|Usuarios\ de\ escritorio\ remoto|\ /do</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ /add</field>
    </rule>
    <rule id="901450" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Suspicious Manipulation Of Default Accounts Via Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)net\.exe|net1\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ user\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ JГ¤rjestelmГ¤nvalvoja\ |\ Rendszergazda\ |\ РђРґРјРёРЅРёСЃС‚СЂР°С‚РѕСЂ\ |\ Administrateur\ |\ Administrador\ |\ AdministratГ¶r\ |\ Administrator\ |\ guest\ |\ DefaultAccount\ |\ "JГ¤rjestelmГ¤nvalvoja"\ |\ "Rendszergazda"\ |\ "РђРґРјРёРЅРёСЃС‚СЂР°С‚РѕСЂ"\ |\ "Administrateur"\ |\ "Administrador"\ |\ "AdministratГ¶r"\ |\ "Administrator"\ |\ "guest"\ |\ "DefaultAccount"\ |\ 'JГ¤rjestelmГ¤nvalvoja'\ |\ 'Rendszergazda'\ |\ 'РђРґРјРёРЅРёСЃС‚СЂР°С‚РѕСЂ'\ |\ 'Administrateur'\ |\ 'Administrador'\ |\ 'AdministratГ¶r'\ |\ 'Administrator'\ |\ 'guest'\ |\ 'DefaultAccount'\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)guest</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/active\ no</field>
    </rule>
    <rule id="901451" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Password Provided In Command Line Of Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)net\.exe|net1\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ use\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):.+\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/USER:.+\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ )$</field>
    </rule>
    <rule id="901452" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
        </mitre>
        <description>Share And Session Enumeration Using Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)net\.exe|net1\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)view</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+</field>
    </rule>
    <rule id="901453" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1016</id>
            <id>attack.t1018</id>
            <id>attack.t1482</id>
        </mitre>
        <description>Nltest.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nltest\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)nltestrk\.exe</field>
    </rule>
    <rule id="901454" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Potential Arbitrary Code Execution Via Node.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+node\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-e\ |\ \-\-eval\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exec\(</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)net\.socket</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.connect</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)child_process</field>
    </rule>
    <rule id="901455" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>Node Process Executions</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Adobe\ Creative\ Cloud\ Experience\\+libs\\+node\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Adobe\ Creative\ Cloud\ Experience\\+js</field>
    </rule>
    <rule id="901456" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087</id>
            <id>attack.t1082</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Network Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)nslookup</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)_ldap\._tcp\.dc\._msdcs\.</field>
    </rule>
    <rule id="901457" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ntdsutil\.exe)$</field>
    </rule>
    <rule id="901458" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Suspicious Driver/DLL Installation Via Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)odbcconf\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:INSTALLDRIVER\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="901459" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Potentially Suspicious DLL Registered Via Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)odbcconf\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:REGSVR\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="901460" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Suspicious Response File Execution Via Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)odbcconf\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-f\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.rsp</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+runonce\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+odbcconf\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.exe\ /E\ /F\ "C:\\+WINDOWS\\+system32\\+odbcconf\.tmp"</field>
    </rule>
    <rule id="901461" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Uncommon Child Process Spawned By Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
    </rule>
    <rule id="901462" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Office Document Executed From Trusted Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+dopus\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+EXCEL\.EXE|\\+POWERPNT\.EXE|\\+WINWORD\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Excel\.exe|POWERPNT\.EXE|WinWord\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Templates|\\+AppData\\+Roaming\\+Microsoft\\+Word\\+Startup\\+|\\+Microsoft\ Office\\+root\\+Templates\\+|\\+Microsoft\ Office\\+Templates\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dotx)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.xltx)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.potx)$</field>
    </rule>
    <rule id="901463" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)bitsadmin\.exe|CertOC\.exe|CertUtil\.exe|Cmd\.Exe|CMSTP\.EXE|cscript\.exe|curl\.exe|HH\.exe|IEExec\.exe|InstallUtil\.exe|javaw\.exe|Microsoft\.Workflow\.Compiler\.exe|msdt\.exe|MSHTA\.EXE|msiexec\.exe|Msxsl\.exe|odbcconf\.exe|pcalua\.exe|PowerShell\.EXE|RegAsm\.exe|RegSvcs\.exe|REGSVR32\.exe|RUNDLL32\.exe|schtasks\.exe|ScriptRunner\.exe|wmic\.exe|WorkFolders\.exe|wscript\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+certoc\.exe|\\+certutil\.exe|\\+cmd\.exe|\\+cmstp\.exe|\\+control\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+ieexec\.exe|\\+installutil\.exe|\\+javaw\.exe|\\+mftrace\.exe|\\+Microsoft\.Workflow\.Compiler\.exe|\\+msbuild\.exe|\\+msdt\.exe|\\+mshta\.exe|\\+msidb\.exe|\\+msiexec\.exe|\\+msxsl\.exe|\\+odbcconf\.exe|\\+pcalua\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regasm\.exe|\\+regsvcs\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+svchost\.exe|\\+verclsid\.exe|\\+wmic\.exe|\\+workfolders\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901464" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.hta|\.vb|\.wsh|\.js|\.ps|\.scr|\.pif|\.bat|\.cmd</field>
    </rule>
    <rule id="901465" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+Users\\+Public\\+|\\+ProgramData\\+|\\+Windows\\+Tasks\\+|\\+Windows\\+Temp\\+|\\+Windows\\+System32\\+Tasks\\+</field>
    </rule>
    <rule id="901466" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\-Embedding)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+FileCoAuth\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\-Embedding)$</field>
    </rule>
    <rule id="901467" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Outlook EnableUnsafeClientMailRules Setting Enabled</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Outlook\\+Security\\+EnableUnsafeClientMailRules</field>
    </rule>
    <rule id="901468" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Suspicious Execution From Outlook Temporary Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Temporary\ Internet\ Files\\+Content\.Outlook\\+</field>
    </rule>
    <rule id="901469" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Suspicious Outlook Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+mftrace\.exe|\\+msbuild\.exe|\\+msdt\.exe|\\+mshta\.exe|\\+msiexec\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+svchost\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901470" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Remote Child Process From Outlook</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:\\+)</field>
    </rule>
    <rule id="901471" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
            <id>attack.g0046</id>
            <id>car.2013-05-002</id>
        </mitre>
        <description>Suspicious Binary In User Directory Spawned From Office Application</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WINWORD\.EXE|\\+EXCEL\.EXE|\\+POWERPNT\.exe|\\+MSPUB\.exe|\\+VISIO\.exe|\\+MSACCESS\.exe|\\+EQNEDT32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+users\\+)</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Teams\.exe)$</field>
    </rule>
    <rule id="901472" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious Microsoft Office Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+EQNEDT32\.EXE|\\+EXCEL\.EXE|\\+MSACCESS\.EXE|\\+MSPUB\.exe|\\+ONENOTE\.EXE|\\+POWERPNT\.exe|\\+VISIO\.exe|\\+WINWORD\.EXE|\\+wordpad\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)bitsadmin\.exe|CertOC\.exe|CertUtil\.exe|Cmd\.Exe|CMSTP\.EXE|cscript\.exe|curl\.exe|HH\.exe|IEExec\.exe|InstallUtil\.exe|javaw\.exe|Microsoft\.Workflow\.Compiler\.exe|msdt\.exe|MSHTA\.EXE|msiexec\.exe|Msxsl\.exe|odbcconf\.exe|pcalua\.exe|PowerShell\.EXE|RegAsm\.exe|RegSvcs\.exe|REGSVR32\.exe|RUNDLL32\.exe|schtasks\.exe|ScriptRunner\.exe|wmic\.exe|WorkFolders\.exe|wscript\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+certoc\.exe|\\+certutil\.exe|\\+cmd\.exe|\\+cmstp\.exe|\\+control\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+ieexec\.exe|\\+installutil\.exe|\\+javaw\.exe|\\+mftrace\.exe|\\+Microsoft\.Workflow\.Compiler\.exe|\\+msbuild\.exe|\\+msdt\.exe|\\+mshta\.exe|\\+msidb\.exe|\\+msiexec\.exe|\\+msxsl\.exe|\\+odbcconf\.exe|\\+pcalua\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regasm\.exe|\\+regsvcs\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+svchost\.exe|\\+verclsid\.exe|\\+wmic\.exe|\\+workfolders\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901473" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious Microsoft Office Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+EQNEDT32\.EXE|\\+EXCEL\.EXE|\\+MSACCESS\.EXE|\\+MSPUB\.exe|\\+ONENOTE\.EXE|\\+POWERPNT\.exe|\\+VISIO\.exe|\\+WINWORD\.EXE|\\+wordpad\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+Users\\+Public\\+|\\+ProgramData\\+|\\+Windows\\+Tasks\\+|\\+Windows\\+Temp\\+|\\+Windows\\+System32\\+Tasks\\+</field>
    </rule>
    <rule id="901474" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OfflineScannerShell\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)OfflineScannerShell\.exe</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Defender\\+Offline\\+</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901475" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1072</id>
        </mitre>
        <description>PDQ Deploy Remote Adminstartion Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)PDQ\ Deploy\ Console</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)PDQ\ Deploy</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)PDQ\.com</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PDQDeployConsole\.exe</field>
    </rule>
    <rule id="901476" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Ping Hex IP</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0x</field>
    </rule>
    <rule id="901477" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1040</id>
        </mitre>
        <description>PktMon.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pktmon\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PktMon\.exe</field>
    </rule>
    <rule id="901478" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>Suspicious Plink Port Forwarding</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Command\-line\ SSH,\ Telnet,\ and\ Rlogin\ client</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-R\ )</field>
    </rule>
    <rule id="901479" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Potential RDP Tunneling Via Plink</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+plink\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):127\.0\.0\.1:3389</field>
    </rule>
    <rule id="901480" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Via .NET Reflection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)System\.Management\.Automation\.AmsiUtils|amsiInitFailed</field>
    </rule>
    <rule id="901481" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Via .NET Reflection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[Ref\]\.Assembly\.GetType</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SetValue$\$null,\$true$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)NonPublic,Static</field>
    </rule>
    <rule id="901482" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Using NULL Bits</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)if$0$\{\{\{0\}\}\}'\ \-f\ \$$0\ \-as\ \[char\]$\ \+|\#&lt;NULL&gt;</field>
    </rule>
    <rule id="901483" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1123</id>
        </mitre>
        <description>Audio Capture via PowerShell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:WindowsAudioDevice\-Powershell\-Cmdlet|Toggle\-AudioDevice|Get\-AudioDevice\ |Set\-AudioDevice\ |Write\-AudioDevice\ )</field>
    </rule>
    <rule id="901484" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Encoded PowerShell Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ JAB|\ SUVYI|\ SQBFAFgA|\ aQBlAHgA|\ aWV4I|\ IAA|\ IAB|\ UwB|\ cwB</field>
    </rule>
    <rule id="901485" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Encoded PowerShell Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-ENCOD\ |\ BA\^J\ e\-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-ExecutionPolicy\ remotesigned\ )</field>
    </rule>
    <rule id="901486" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Encoded Command Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.Exe|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e\ |\ \-en\ |\ \-enc\ |\ \-enco</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ JAB|\ SUVYI|\ SQBFAFgA|\ aWV4I|\ IAB|\ PAA|\ aQBlAHgA</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+gc_worker\.exe</field>
    </rule>
    <rule id="901487" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Obfuscated PowerShell Code</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)IAAtAGIAeABvAHIAIAAwAHgA|AALQBiAHgAbwByACAAMAB4A|gAC0AYgB4AG8AcgAgADAAeA|AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg|AuAEkAbgB2AG8AawBlACgAKQAgAHwAI|ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC|AHsAMQB9AHsAMAB9ACIAIAAtAGYAI|B7ADEAfQB7ADAAfQAiACAALQBmAC|AewAxAH0AewAwAH0AIgAgAC0AZgAg|AHsAMAB9AHsAMwB9ACIAIAAtAGYAI|B7ADAAfQB7ADMAfQAiACAALQBmAC|AewAwAH0AewAzAH0AIgAgAC0AZgAg|AHsAMgB9AHsAMAB9ACIAIAAtAGYAI|B7ADIAfQB7ADAAfQAiACAALQBmAC|AewAyAH0AewAwAH0AIgAgAC0AZgAg|AHsAMQB9AHsAMAB9ACcAIAAtAGYAI|B7ADEAfQB7ADAAfQAnACAALQBmAC|AewAxAH0AewAwAH0AJwAgAC0AZgAg|AHsAMAB9AHsAMwB9ACcAIAAtAGYAI|B7ADAAfQB7ADMAfQAnACAALQBmAC|AewAwAH0AewAzAH0AJwAgAC0AZgAg|AHsAMgB9AHsAMAB9ACcAIAAtAGYAI|B7ADIAfQB7ADAAfQAnACAALQBmAC|AewAyAH0AewAwAH0AJwAgAC0AZgAg</field>
    </rule>
    <rule id="901488" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Base64 Encoded FromBase64String Cmdlet</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">::FromBase64String</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA|oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA|6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw</field>
    </rule>
    <rule id="901489" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Base64 Encoded IEX Cmdlet</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">IEX\ \(\[|iex\ \(\[|iex\ \(New|IEX\ \(New|IEX\(\[|iex\(\[|iex\(New|IEX\(New|IEX\(\('|iex\(\('</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SQBFAFgAIAAoAFsA|kARQBYACAAKABbA|JAEUAWAAgACgAWw|aQBlAHgAIAAoAFsA|kAZQB4ACAAKABbA|pAGUAeAAgACgAWw|aQBlAHgAIAAoAE4AZQB3A|kAZQB4ACAAKABOAGUAdw|pAGUAeAAgACgATgBlAHcA|SQBFAFgAIAAoAE4AZQB3A|kARQBYACAAKABOAGUAdw|JAEUAWAAgACgATgBlAHcA</field>
    </rule>
    <rule id="901490" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Base64 Encoded MpPreference Cmdlet</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?:Add\-MpPreference\ |Set\-MpPreference\ |add\-mppreference\ |set\-mppreference\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA|EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA|BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA|UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA|MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA|TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA|YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA|EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA|hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA|cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA|MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA|zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA</field>
    </rule>
    <rule id="901491" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.t1620</id>
        </mitre>
        <description>PowerShell Base64 Encoded Reflective Assembly Load</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA|sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA|bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA|AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC|BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp|AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK|WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ|sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA|bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA|WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA|sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA|bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA</field>
    </rule>
    <rule id="901492" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.001</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ|oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA|6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA|OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ|oAOgAoACIATABvACIAKwAiAGEAZAAiACkA|6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA|OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ|oAOgAoACIATABvAGEAIgArACIAZAAiACkA|6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA|OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ|oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA|6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA|OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ|oAOgAoACcATABvACcAKwAnAGEAZAAnACkA|6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA|OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ|oAOgAoACcATABvAGEAJwArACcAZAAnACkA|6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA</field>
    </rule>
    <rule id="901493" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ|cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA|XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A|V2luMzJfU2hhZG93Y29we|dpbjMyX1NoYWRvd2NvcH|XaW4zMl9TaGFkb3djb3B5</field>
    </rule>
    <rule id="901494" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA|cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA|XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg|V2luMzJfU2NoZWR1bGVkSm9i|dpbjMyX1NjaGVkdWxlZEpvY|XaW4zMl9TY2hlZHVsZWRKb2</field>
    </rule>
    <rule id="901495" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw|cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA|XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA|V2luMzJfUHJvY2Vzc|dpbjMyX1Byb2Nlc3|XaW4zMl9Qcm9jZXNz</field>
    </rule>
    <rule id="901496" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A|cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA|XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA|V2luMzJfVXNlckFjY291bn|dpbjMyX1VzZXJBY2NvdW50|XaW4zMl9Vc2VyQWNjb3Vud</field>
    </rule>
    <rule id="901497" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA|cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA|XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg|V2luMzJfTG9nZ2VkT25Vc2Vy|dpbjMyX0xvZ2dlZE9uVXNlc|XaW4zMl9Mb2dnZWRPblVzZX</field>
    </rule>
    <rule id="901498" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Potential Process Execution Proxy Via CL_Invocation.ps1</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:SyncInvoke\ )</field>
    </rule>
    <rule id="901499" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Assembly Loading Via CL_LoadAssembly.ps1</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:LoadAssemblyFromPath\ |LoadAssemblyFromNS\ )</field>
    </rule>
    <rule id="901500" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Via Reversed Commands</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hctac|kaerb|dnammoc|ekovn|eliFd|rahc|etirw|golon|tninon|eddih|tpircS|ssecorp|llehsrewop|esnopser|daolnwod|tneilCbeW|tneilc|ptth|elifotevas|46esab|htaPpmeTteG|tcejbO|maerts|hcaerof|retupmoc</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-EncodedCommand\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-enc\ )</field>
    </rule>
    <rule id="901501" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Command Line Obfuscation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*\^.*\^.*\^.*\^.*\^.</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*`.*`.*`.*`.*`.</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Amazon\\+SSM\\+ssm\-document\-worker\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)new\ EventSource$"Microsoft\.Windows\.Sense\.Client\.Management"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)public\ static\ extern\ bool\ InstallELAMCertificateInfo\(SafeFileHandle\ handle$;</field>
    </rule>
    <rule id="901502" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>New Service Creation Using PowerShell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-BinaryPathName</field>
    </rule>
    <rule id="901503" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>Gzip Archive Decode Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)GZipStream</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::Decompress</field>
    </rule>
    <rule id="901504" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Defender Disable Scan Feature</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Add\-MpPreference\ |Set\-MpPreference\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:DisableArchiveScanning\ |DisableRealtimeMonitoring\ |DisableIOAVProtection\ |DisableBehaviorMonitoring\ |DisableBlockAtFirstSeen\ |DisableCatchupFullScan\ |DisableCatchupQuickScan\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\$true|\ 1\ )</field>
    </rule>
    <rule id="901505" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Defender Disable Scan Feature</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?:disablearchivescanning\ |DisableArchiveScanning\ |disablebehaviormonitoring\ |DisableBehaviorMonitoring\ |disableblockatfirstseen\ |DisableBlockAtFirstSeen\ |disablecatchupfullscan\ |DisableCatchupFullScan\ |disablecatchupquickscan\ |DisableCatchupQuickScan\ |disableioavprotection\ |DisableIOAVProtection\ |disablerealtimemonitoring\ |DisableRealtimeMonitoring\ )</field>
    </rule>
    <rule id="901506" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Defender Disable Scan Feature</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA|EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA|RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA|QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA|EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA|RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA|EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA|RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA|QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA|EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA|ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA|kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA|ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA|QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA|kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA|ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA|kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA|ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA|QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA|kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA|RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA|RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA|RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA</field>
    </rule>
    <rule id="901507" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-DisableBehaviorMonitoring\ \$true|\-DisableRuntimeMonitoring\ \$true</field>
    </rule>
    <rule id="901508" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sc\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)stop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinDefend</field>
    </rule>
    <rule id="901509" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sc\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinDefend</field>
    </rule>
    <rule id="901510" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sc\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinDefend</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)start=disabled</field>
    </rule>
    <rule id="901511" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled IE Security Features</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-name\ IEHarden\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-value\ 0\ )</field>
    </rule>
    <rule id="901512" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled IE Security Features</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-name\ DEPOff\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-value\ 1\ )</field>
    </rule>
    <rule id="901513" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled IE Security Features</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-name\ DisableFirstRunCustomize\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-value\ 2\ )</field>
    </rule>
    <rule id="901514" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Downgrade Attack</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-version\ 2\ |\ \-versio\ 2\ |\ \-versi\ 2\ |\ \-vers\ 2\ |\ \-ver\ 2\ |\ \-ve\ 2\ |\ \-v\ 2\ )</field>
    </rule>
    <rule id="901515" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PowerShell Web Download</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.DownloadString\(|\.DownloadFile\(|Invoke\-WebRequest\ |iwr\ )</field>
    </rule>
    <rule id="901516" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Potential DLL File Download Via PowerShell Invoke-WebRequest</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Invoke\-WebRequest\ |IWR\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OutFile</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="901517" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Email Exifiltration Via Powershell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-PSSnapin</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Recipient</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ExpandProperty</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)EmailAddresses</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SmtpAddress</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-hidetableheaders</field>
    </rule>
    <rule id="901518" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Execution of Powershell with Base64</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-e\ |\ \-en\ |\ \-enc\ |\ \-enco|\ \-ec\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-Encoding\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+gc_worker\.exe</field>
    </rule>
    <rule id="901519" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Encoded PowerShell Patterns In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToInt|ToDecimal|ToByte|ToUint|ToSingle|ToSByte</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToChar|ToString|String</field>
    </rule>
    <rule id="901520" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Encoded PowerShell Patterns In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToInt|ToDecimal|ToByte|ToUint|ToSingle|ToSByte</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)char</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)join</field>
    </rule>
    <rule id="901521" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Encoded PowerShell Patterns In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToInt|ToDecimal|ToByte|ToUint|ToSingle|ToSByte</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)split</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)join</field>
    </rule>
    <rule id="901522" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1552.004</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Certificate Exported Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Export\-PfxCertificate\ |Export\-Certificate\ )</field>
    </rule>
    <rule id="901523" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1027</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Base64 Encoded PowerShell Command Detected</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::FromBase64String\(</field>
    </rule>
    <rule id="901524" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>Suspicious FromBase64String Usage On Gzip Archive - Process Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)FromBase64String</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MemoryStream</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)H4sI</field>
    </rule>
    <rule id="901525" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>PowerShell Get-Process LSASS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Process\ lsas|ps\ lsas|gps\ lsas</field>
    </rule>
    <rule id="901526" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1115</id>
        </mitre>
        <description>PowerShell Get-Clipboard Cmdlet Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Clipboard</field>
    </rule>
    <rule id="901527" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell IEX Execution Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \|\ iex;|\ \|\ iex\ |\ \|\ iex\}|\ \|\ IEX\ ;|\ \|\ IEX\ \-Error|\ \|\ IEX\ $new|$;IEX\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::FromBase64String|\.GetString$\[System\.Convert\]::</field>
    </rule>
    <rule id="901528" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell IEX Execution Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)$\|iex;\$|\);iex$\$|$;iex\ \$|\ \|\ IEX\ \|\ |\ \|\ iex\\+"</field>
    </rule>
    <rule id="901529" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Root Certificate Installed From Susp Locations</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Import\-Certificate</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-FilePath\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Cert:\\+LocalMachine\\+Root</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|:\\+Windows\\+TEMP\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Perflogs\\+|:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="901530" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Import PowerShell Modules From Suspicious Directories - ProcCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Import\-Module\ "\$Env:Temp\\+|Import\-Module\ '\$Env:Temp\\+|Import\-Module\ \$Env:Temp\\+|Import\-Module\ "\$Env:Appdata\\+|Import\-Module\ '\$Env:Appdata\\+|Import\-Module\ \$Env:Appdata\\+|Import\-Module\ C:\\+Users\\+Public\\+|ipmo\ "\$Env:Temp\\+|ipmo\ '\$Env:Temp\\+|ipmo\ \$Env:Temp\\+|ipmo\ "\$Env:Appdata\\+|ipmo\ '\$Env:Appdata\\+|ipmo\ \$Env:Appdata\\+|ipmo\ C:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="901531" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[Convert\]::FromBase64String</field>
    </rule>
    <rule id="901532" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-noni</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Object</field>
    </rule>
    <rule id="901533" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ep</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Enc</field>
    </rule>
    <rule id="901534" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+software\\+</field>
    </rule>
    <rule id="901535" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-noprofile</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-windowstyle</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)system\.net\.webclient</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.download</field>
    </rule>
    <rule id="901536" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Net\.WebClient</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.Download</field>
    </rule>
    <rule id="901537" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString\('https://community\.chocolatey\.org/install\.ps1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Write\-ChocolateyWarning</field>
    </rule>
    <rule id="901538" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Suspicious PowerShell Mailbox Export to Share</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-MailboxExportRequest</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-Mailbox\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-FilePath\ \\+</field>
    </rule>
    <rule id="901539" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
            <id>attack.t1087</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.t1069</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Commandlets - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-Exfiltration|Add\-Persistence|Add\-RegBackdoor|Add\-RemoteRegBackdoor|Add\-ScrnSaveBackdoor|Check\-VM|ConvertTo\-Rc4ByteStream|Decrypt\-Hash|Disable\-ADIDNSNode|Disable\-MachineAccount|Do\-Exfiltration|Enable\-ADIDNSNode|Enable\-MachineAccount|Enabled\-DuplicateToken|Exploit\-Jboss|Export\-ADR|Export\-ADRCSV|Export\-ADRExcel|Export\-ADRHTML|Export\-ADRJSON|Export\-ADRXML|Find\-Fruit|Find\-GPOLocation|Find\-TrustedDocuments|Get\-ADIDNS|Get\-ApplicationHost|Get\-ChromeDump|Get\-ClipboardContents|Get\-FoxDump|Get\-GPPPassword|Get\-IndexedItem|Get\-KerberosAESKey|Get\-Keystrokes|Get\-LSASecret|Get\-MachineAccountAttribute|Get\-MachineAccountCreator|Get\-PassHashes|Get\-RegAlwaysInstallElevated|Get\-RegAutoLogon|Get\-RemoteBootKey|Get\-RemoteCachedCredential|Get\-RemoteLocalAccountHash|Get\-RemoteLSAKey|Get\-RemoteMachineAccountHash|Get\-RemoteNLKMKey|Get\-RickAstley|Get\-Screenshot|Get\-SecurityPackages|Get\-ServiceFilePermission|Get\-ServicePermission|Get\-ServiceUnquoted|Get\-SiteListPassword|Get\-System|Get\-TimedScreenshot|Get\-UnattendedInstallFile|Get\-Unconstrained|Get\-USBKeystrokes|Get\-VaultCredential|Get\-VulnAutoRun|Get\-VulnSchTask|Grant\-ADIDNSPermission|Gupt\-Backdoor|HTTP\-Login|Install\-ServiceBinary|Install\-SSP|Invoke\-ACLScanner|Invoke\-ADRecon|Invoke\-ADSBackdoor|Invoke\-AgentSmith|Invoke\-AllChecks|Invoke\-ARPScan|Invoke\-AzureHound|Invoke\-BackdoorLNK|Invoke\-BadPotato|Invoke\-BetterSafetyKatz|Invoke\-BypassUAC|Invoke\-Carbuncle|Invoke\-Certify|Invoke\-ConPtyShell|Invoke\-CredentialInjection|Invoke\-DAFT|Invoke\-DCSync|Invoke\-DinvokeKatz|Invoke\-DllInjection|Invoke\-DNSUpdate|Invoke\-DomainPasswordSpray|Invoke\-DowngradeAccount|Invoke\-EgressCheck|Invoke\-Eyewitness|Invoke\-FakeLogonScreen|Invoke\-Farmer|Invoke\-Get\-RBCD\-Threaded|Invoke\-Gopher|Invoke\-Grouper|Invoke\-HandleKatz|Invoke\-ImpersonatedProcess|Invoke\-ImpersonateSystem|Invoke\-InteractiveSystemPowerShell|Invoke\-Internalmonologue|Invoke\-Inveigh|Invoke\-InveighRelay|Invoke\-KrbRelay|Invoke\-LdapSignCheck|Invoke\-Lockless|Invoke\-MalSCCM|Invoke\-Mimikatz|Invoke\-Mimikittenz|Invoke\-MITM6|Invoke\-NanoDump|Invoke\-NetRipper|Invoke\-Nightmare|Invoke\-NinjaCopy|Invoke\-OfficeScrape|Invoke\-OxidResolver|Invoke\-P0wnedshell|Invoke\-Paranoia|Invoke\-PortScan|Invoke\-PoshRatHttp|Invoke\-PostExfil|Invoke\-PowerDump|Invoke\-PowerShellTCP|Invoke\-PowerShellWMI|Invoke\-PPLDump|Invoke\-PsExec|Invoke\-PSInject|Invoke\-PsUaCme|Invoke\-ReflectivePEInjection|Invoke\-ReverseDNSLookup|Invoke\-Rubeus|Invoke\-RunAs|Invoke\-SafetyKatz|Invoke\-SauronEye|Invoke\-SCShell|Invoke\-Seatbelt|Invoke\-ServiceAbuse|Invoke\-ShadowSpray|Invoke\-Sharp|Invoke\-Shellcode|Invoke\-SMBScanner|Invoke\-Snaffler|Invoke\-Spoolsample|Invoke\-SpraySinglePassword|Invoke\-SSHCommand|Invoke\-StandIn|Invoke\-StickyNotesExtract|Invoke\-SystemCommand|Invoke\-Tasksbackdoor|Invoke\-Tater|Invoke\-Thunderfox|Invoke\-ThunderStruck|Invoke\-TokenManipulation|Invoke\-Tokenvator|Invoke\-TotalExec|Invoke\-UrbanBishop|Invoke\-UserHunter|Invoke\-VoiceTroll|Invoke\-Whisker|Invoke\-WinEnum|Invoke\-winPEAS|Invoke\-WireTap|Invoke\-WmiCommand|Invoke\-WMIExec|Invoke\-WScriptBypassUAC|Invoke\-Zerologon|MailRaider|New\-ADIDNSNode|New\-DNSRecordArray|New\-HoneyHash|New\-InMemoryModule|New\-MachineAccount|New\-SOASerialNumberArray|Out\-Minidump|Port\-Scan|PowerBreach|powercat\ |PowerUp|PowerView|Remove\-ADIDNSNode|Remove\-MachineAccount|Remove\-Update|Rename\-ADIDNSNode|Revoke\-ADIDNSPermission|Set\-ADIDNSNode|Set\-MacAttribute|Set\-MachineAccountAttribute|Set\-Wallpaper|Show\-TargetScreen|Start\-CaptureServer|Start\-Dnscat2|Start\-WebcamRecorder|VolumeShadowCopyTools</field>
    </rule>
    <rule id="901540" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.002</id>
        </mitre>
        <description>MSExchange Transport Agent Installation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Install\-TransportAgent</field>
    </rule>
    <rule id="901541" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Non Interactive PowerShell Process Spawned</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+CompatTelRunner\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+\$WINDOWS\.\~BT\\+Sources\\+SetupHost\.exe</field>
    </rule>
    <rule id="901542" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Non Interactive PowerShell Process Spawned</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)(?:\ \-\-ms\-enable\-electron\-run\-as\-node\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WindowsApps\\+Microsoft\.WindowsTerminal_</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WindowsTerminal\.exe)$</field>
    </rule>
    <rule id="901543" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Via WCHAR</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)$WCHAR$0x</field>
    </rule>
    <rule id="901544" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Execution of Powershell Script in Public Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f\ C:\\+Users\\+Public|\-f\ "C:\\+Users\\+Public|\-f\ %Public%|\-fi\ C:\\+Users\\+Public|\-fi\ "C:\\+Users\\+Public|\-fi\ %Public%|\-fil\ C:\\+Users\\+Public|\-fil\ "C:\\+Users\\+Public|\-fil\ %Public%|\-file\ C:\\+Users\\+Public|\-file\ "C:\\+Users\\+Public|\-file\ %Public%</field>
    </rule>
    <rule id="901545" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-ATHRemoteFXvGPUDisablementCommand|Invoke\-ATHRemoteFXvGPUDisableme</field>
    </rule>
    <rule id="901546" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Run PowerShell Script from ADS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Content</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Stream</field>
    </rule>
    <rule id="901547" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Run PowerShell Script from Redirected Input Stream</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\s-\s*&lt;</field>
    </rule>
    <rule id="901548" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocation From Script Engines</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)\\+Health\ Service\ State\\+</field>
    </rule>
    <rule id="901549" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.collection</id>
            <id>attack.t1114</id>
        </mitre>
        <description>Exchange PowerShell Snap-Ins Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-PSSnapin</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Microsoft\.Exchange\.Powershell\.Snapin|Microsoft\.Exchange\.Management\.PowerShell\.SnapIn</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+msiexec\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\$exserver=Get\-ExchangeServer\ $\[Environment\]::MachineName$\ \-ErrorVariable\ exerr\ 2&gt;\ \$null</field>
    </rule>
    <rule id="901550" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potentially Suspicious PowerShell Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+bitsadmin\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+mshta\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkspacesConfig\\+Scripts\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkspacesConfig\\+Scripts\\+</field>
    </rule>
    <rule id="901551" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Download and Execute Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)IEX\ $\(New\-Object\ Net\.WebClient$\.DownloadString|IEX\ $New\-Object\ Net\.WebClient$\.DownloadString|IEX$\(New\-Object\ Net\.WebClient$\.DownloadString|IEX$New\-Object\ Net\.WebClient$\.DownloadString|\ \-command\ $New\-Object\ System\.Net\.WebClient$\.DownloadFile$|\ \-c\ \(New\-Object\ System\.Net\.WebClient$\.DownloadFile\(</field>
    </rule>
    <rule id="901552" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Parameter Substring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-windowstyle\ h\ |\ \-windowstyl\ h|\ \-windowsty\ h|\ \-windowst\ h|\ \-windows\ h|\ \-windo\ h|\ \-wind\ h|\ \-win\ h|\ \-wi\ h|\ \-win\ h\ |\ \-win\ hi\ |\ \-win\ hid\ |\ \-win\ hidd\ |\ \-win\ hidde\ |\ \-NoPr\ |\ \-NoPro\ |\ \-NoProf\ |\ \-NoProfi\ |\ \-NoProfil\ |\ \-nonin\ |\ \-nonint\ |\ \-noninte\ |\ \-noninter\ |\ \-nonintera\ |\ \-noninterac\ |\ \-noninteract\ |\ \-noninteracti\ |\ \-noninteractiv\ |\ \-ec\ |\ \-encodedComman\ |\ \-encodedComma\ |\ \-encodedComm\ |\ \-encodedCom\ |\ \-encodedCo\ |\ \-encodedC\ |\ \-encoded\ |\ \-encode\ |\ \-encod\ |\ \-enco\ |\ \-en\ |\ \-executionpolic\ |\ \-executionpoli\ |\ \-executionpol\ |\ \-executionpo\ |\ \-executionp\ |\ \-execution\ bypass|\ \-executio\ bypass|\ \-executi\ bypass|\ \-execut\ bypass|\ \-execu\ bypass|\ \-exec\ bypass|\ \-exe\ bypass|\ \-ex\ bypass|\ \-ep\ bypass|\ /windowstyle\ h\ |\ /windowstyl\ h|\ /windowsty\ h|\ /windowst\ h|\ /windows\ h|\ /windo\ h|\ /wind\ h|\ /win\ h|\ /wi\ h|\ /win\ h\ |\ /win\ hi\ |\ /win\ hid\ |\ /win\ hidd\ |\ /win\ hidde\ |\ /NoPr\ |\ /NoPro\ |\ /NoProf\ |\ /NoProfi\ |\ /NoProfil\ |\ /nonin\ |\ /nonint\ |\ /noninte\ |\ /noninter\ |\ /nonintera\ |\ /noninterac\ |\ /noninteract\ |\ /noninteracti\ |\ /noninteractiv\ |\ /ec\ |\ /encodedComman\ |\ /encodedComma\ |\ /encodedComm\ |\ /encodedCom\ |\ /encodedCo\ |\ /encodedC\ |\ /encoded\ |\ /encode\ |\ /encod\ |\ /enco\ |\ /en\ |\ /executionpolic\ |\ /executionpoli\ |\ /executionpol\ |\ /executionpo\ |\ /executionp\ |\ /execution\ bypass|\ /executio\ bypass|\ /executi\ bypass|\ /execut\ bypass|\ /execu\ bypass|\ /exec\ bypass|\ /exe\ bypass|\ /ex\ bypass|\ /ep\ bypass</field>
    </rule>
    <rule id="901553" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.command_and_control</id>
            <id>attack.t1104</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PowerShell DownloadFile</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.DownloadFile</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)System\.Net\.WebClient</field>
    </rule>
    <rule id="901554" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.009</id>
        </mitre>
        <description>Powershell Token Obfuscation - Process Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\w+`(\w+|-|.)`[\w+|\s]</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)"(\{\d\})+"\s*-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}</field>
    </rule>
    <rule id="901555" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Suspicious X509Enrollment - Process Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)X509Enrollment\.CBinaryConverter|884e2002\-217d\-11da\-b2a4\-000e7bbb2b09</field>
    </rule>
    <rule id="901556" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP|Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+|Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901557" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>XBAP Execution From Uncommon Locations Via PresentationHost.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+presentationhost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PresentationHost\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.xbap</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Program\ Files</field>
    </rule>
    <rule id="901558" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.NodejsTools\.PressAnyKey\.exe)$</field>
    </rule>
    <rule id="901559" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Abusing Print Executable</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+print\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:print)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/D</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)print\.exe</field>
    </rule>
    <rule id="901560" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Provlaunch.EXE Binary Proxy Execution Abuse</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+provlaunch\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+calc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+notepad\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+PerfLogs\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+Public\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Windows\\+System32\\+Tasks\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Windows\\+Tasks\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901561" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1113</id>
        </mitre>
        <description>Screen Capture Activity Via Psr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Psr\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/start|\-start</field>
    </rule>
    <rule id="901562" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - 3Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+3proxy\.exe)$</field>
    </rule>
    <rule id="901563" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - 3Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)3proxy\ \-\ tiny\ proxy\ server</field>
    </rule>
    <rule id="901564" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - 3Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-i127\.0\.0\.1\ \-p</field>
    </rule>
    <rule id="901565" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lockoutduration|lockoutthreshold|lockoutobservationwindow|maxpwdage|minpwdage|minpwdlength|pwdhistorylength|pwdproperties</field>
    </rule>
    <rule id="901566" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-sc\ admincountdmp</field>
    </rule>
    <rule id="901567" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-sc\ exchaddresses</field>
    </rule>
    <rule id="901568" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
            <id>stp.1u</id>
        </mitre>
        <description>PUA - AdFind Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)domainlist|trustdmp|dcmodes|adinfo|\ dclist\ |computer_pwdnotreqd|objectcategory=|\-subnets\ \-f|name="Domain\ Admins"|\-sc\ u:|domainncs|dompol|\ oudmp\ |subnetdmp|gpodmp|fspdmp|users_noexpire|computers_active|computers_pwdnotreqd</field>
    </rule>
    <rule id="901569" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1564.003</id>
            <id>attack.t1134.002</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>PUA - AdvancedRun Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AdvancedRun\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /EXEFilename\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /Run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /WindowState\ 0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /RunAs\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /CommandLine\ )</field>
    </rule>
    <rule id="901570" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced IP Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+advanced_ip_scanner</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)advanced_ip_scanner</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Advanced\ IP\ Scanner</field>
    </rule>
    <rule id="901571" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced IP Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/portable</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/lng</field>
    </rule>
    <rule id="901572" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced Port Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+advanced_port_scanner</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)advanced_port_scanner</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Advanced\ Port\ Scanner</field>
    </rule>
    <rule id="901573" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced Port Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/portable</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/lng</field>
    </rule>
    <rule id="901574" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>PUA - Chisel Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+chisel\.exe)$</field>
    </rule>
    <rule id="901575" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SepRemovalToolNative_x64\.exe)$</field>
    </rule>
    <rule id="901576" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CATClean\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-uninstall</field>
    </rule>
    <rule id="901577" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+NetInstaller\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-r</field>
    </rule>
    <rule id="901578" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WFPUnins\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/uninstall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/enterprise</field>
    </rule>
    <rule id="901579" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_crassus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1590.001</id>
        </mitre>
        <description>PUA - Crassus Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Crassus\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Crassus\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Crassus</field>
    </rule>
    <rule id="901580" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - CsExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csexec\.exe)$</field>
    </rule>
    <rule id="901581" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - CsExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)csexec</field>
    </rule>
    <rule id="901582" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.005</id>
        </mitre>
        <description>PUA - DefenderCheck Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DefenderCheck\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)DefenderCheck</field>
    </rule>
    <rule id="901583" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>PUA - DIT Snapshot Viewer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ditsnap\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ditsnap\.exe</field>
    </rule>
    <rule id="901584" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - Fast Reverse Proxy (FRP) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+frpc\.exe|\\+frps\.exe)$</field>
    </rule>
    <rule id="901585" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - Fast Reverse Proxy (FRP) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+frpc\.ini</field>
    </rule>
    <rule id="901586" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - Fast Reverse Proxy (FRP) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=7D9C233B8C9E3F0EA290D2B84593C842|SHA1=06DDC9280E1F1810677935A2477012960905942F|SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)7d9c233b8c9e3f0ea290d2b84593c842</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)06ddc9280e1f1810677935a2477012960905942f</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c</field>
    </rule>
    <rule id="901587" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA- IOX Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+iox\.exe)$</field>
    </rule>
    <rule id="901588" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA- IOX Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ fwd\ \-l\ |\.exe\ fwd\ \-r\ |\.exe\ proxy\ \-l\ |\.exe\ proxy\ \-r\ )</field>
    </rule>
    <rule id="901589" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA- IOX Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=9DB2D314DD3F704A02051EF5EA210993|SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD|SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)9db2d314dd3f704a02051ef5ea210993</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)039130337e28a6623ecf9a0a3da7d92c5964d8dd</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731</field>
    </rule>
    <rule id="901590" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.collection</id>
            <id>attack.t1056.002</id>
        </mitre>
        <description>PUA - Mouse Lock Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Mouse\ Lock</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)Misc314</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Mouse\ Lock_</field>
    </rule>
    <rule id="901591" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1095</id>
        </mitre>
        <description>PUA - Netcat Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nc\.exe|\\+ncat\.exe|\\+netcat\.exe)$</field>
    </rule>
    <rule id="901592" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1095</id>
        </mitre>
        <description>PUA - Netcat Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-lvp\ |\ \-lvnp|\ \-l\ \-v\ \-p\ |\ \-lv\ \-p\ |\ \-l\ \-\-proxy\-type\ http\ |\ \-vnl\ \-\-exec\ |\ \-vnl\ \-e\ |\ \-\-lua\-exec\ |\ \-\-sh\-exec\ )</field>
    </rule>
    <rule id="901593" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ tcp\ 139|\ tcp\ 445|\ tcp\ 3389|\ tcp\ 5985|\ tcp\ 5986</field>
    </rule>
    <rule id="901594" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ start\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-all</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.yml</field>
    </rule>
    <rule id="901595" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:ngrok\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tcp\ |\ http\ |\ authtoken\ )</field>
    </rule>
    <rule id="901596" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ authtoken\ |\.exe\ start\ \-\-all</field>
    </rule>
    <rule id="901597" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PUA - Nimgrab Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nimgrab\.exe)$</field>
    </rule>
    <rule id="901598" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PUA - Nimgrab Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B|SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559|IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45</field>
    </rule>
    <rule id="901599" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PUA - Nimgrab Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)2DD44C3C29D667F5C0EF5F9D7C7FFB8B</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)C07FDDD21D123EA9B3A08EEF44AAAC45</field>
    </rule>
    <rule id="901600" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PUA - NirCmd Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+NirCmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)NirCmd\.exe</field>
    </rule>
    <rule id="901601" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PUA - NirCmd Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ execmd\ |\.exe\ script\ |\.exe\ shexec\ |\ runinteractive\ )</field>
    </rule>
    <rule id="901602" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PUA - NirCmd Execution As LOCAL SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ runassystem\ )</field>
    </rule>
    <rule id="901603" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>PUA - Nmap/Zenmap Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nmap\.exe|\\+zennmap\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)nmap\.exe|zennmap\.exe</field>
    </rule>
    <rule id="901604" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+npc\.exe)$</field>
    </rule>
    <rule id="901605" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-server=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-vkey=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-password=</field>
    </rule>
    <rule id="901606" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-config=npc</field>
    </rule>
    <rule id="901607" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=AE8ACF66BFE3A44148964048B826D005|SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181|SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)ae8acf66bfe3a44148964048b826d005</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)cea49e9b9b67f3a13ad0be1c2655293ea3c18181</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856</field>
    </rule>
    <rule id="901608" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=f741f25ac909ee434e50812d436c73ff|MD5=d40acbfc29ee24388262e3d8be16f622|MD5=01bb2c16fadb992fa66228cd02d45c60|MD5=9e1b18e62e42b5444fc55b51e640355b|MD5=b7f8fe33ac471b074ca9e630ba0c7e79|MD5=324579d717c9b9b8e71d0269d13f811f|MD5=63257a1ddaf83cfa43fe24a3bc06c207|MD5=049e85963826b059c9bac273bb9c82ab|MD5=ecb98b7b4d4427eb8221381154ff4cb2|MD5=faf87749ac790ec3a10dd069d10f9d63|MD5=f296dba5d21ad18e6990b1992aea8f83|MD5=93ba94355e794b6c6f98204cf39f7a11|MD5=a258ef593ac63155523a461ecc73bdba|MD5=97000eb5d1653f1140ee3f47186463c4|MD5=95eb317fbbe14a82bd9fdf31c48b8d93|MD5=32fe9f0d2630ac40ea29023920f20f49|MD5=a05930dde939cfd02677fc18bb2b7df5|MD5=124283924e86933ff9054a549d3a268b|MD5=ceda6909b8573fdeb0351c6920225686|MD5=60ce120040f2cd311c810ae6f6bbc182|MD5=2f10cdc5b09100a260703a28eadd0ceb|MD5=011d967028e797a4c16d547f7ba1463f|MD5=2da9152c0970500c697c1c9b4a9e0360|MD5=b5ba72034b8f44d431f55275bace9f8b|MD5=d6ed9101df0f24e27ff92ddab42dacca|MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d|MD5=5e083cd0143ae95a6cb79b68c07ca573|MD5=28caff93748cb84be70486e79f04c2df|MD5=9d4f12c30f9b500f896efd1800e4dd11|MD5=4586f7dd14271ad65a5fb696b393f4c0|MD5=86ba9dddbdf49215145b5bcd081d4011|MD5=9dce0a481343874ef9a36c9a825ef991|MD5=85890f62e231ad964b1fda7a674747ec|MD5=599be548da6441d7fe3e9a1bb8cb0833|MD5=9b0c7fd5763f66e9b8c7b457fce53f96|MD5=32d45718164205aec3e98e0223717d1d|MD5=6ff5f373ee7f794cd17db50704d00ddb|MD5=88efbdf41f0650f8f58a3053b0ca0459|MD5=ef915f61f861d1fb7cbde9afd2e7bd93|MD5=781fa16511a595757154b4304d2dd350|MD5=5018ec39be0e296f4fc8c8575bfa8486|MD5=f4a84d6f1caf0875b50135423d04139f|SHA1=9c1431801fa6342ed68f047842b9a11778fc669b|SHA1=c36c862f40dad78cb065197aad15fef690c262f2|SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d|SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f|SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa|SHA1=f14c9633040897d375e3069fddc71e859f283778|SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc|SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937|SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36|SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b|SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc|SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11|SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995|SHA1=607e1fa810c799735221a609af3bfc405728c02d|SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3|SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a|SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491|SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178|SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4|SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84|SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea|SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17|SHA1=81d67b3d70c4e855cb11a453cc32997517708362|SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad|SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2|SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92|SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1|SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a|SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db|SHA1=3150f14508ee4cae19cf09083499d1cda8426540|SHA1=036ad9876fa552b1298c040e233d620ea44689c6|SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5|SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c|SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d|SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4|SHA1=c82152cddf9e5df49094686531872ecd545976db|SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61|SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836|SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719|SHA1=34c0c5839af1c92bce7562b91418443a2044c90d|SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08|SHA1=3a515551814775df0ccbe09f219bc972eae45a10|SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b|SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85|SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03|SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795|SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f|SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a|SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275|SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b|SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2|SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae|SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6|SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a|SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1|SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559|SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2|SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef|SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d|SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524|SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b|SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b|SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629|SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358|SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca|SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea|SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172|SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4|SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2|SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66|SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27|SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41|SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1|SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0|SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8|SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d|SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726|SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90|SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5|SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140|SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87|SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892|SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054|SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PingCastle\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PingCastle\.exe</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Ping\ Castle</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-scanner\ aclcheck|\-\-scanner\ antivirus|\-\-scanner\ computerversion|\-\-scanner\ foreignusers|\-\-scanner\ laps_bitlocker|\-\-scanner\ localadmin|\-\-scanner\ nullsession|\-\-scanner\ nullsession\-trust|\-\-scanner\ oxidbindings|\-\-scanner\ remote|\-\-scanner\ share|\-\-scanner\ smb|\-\-scanner\ smb3querynetwork|\-\-scanner\ spooler|\-\-scanner\ startup|\-\-scanner\ zerologon</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-no\-enum\-limit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-level\ Full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-server\ )</field>
    </rule>
    <rule id="901609" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.bat|\.chm|\.cmd|\.hta|\.htm|\.html|\.js|\.lnk|\.ps1|\.vbe|\.vbs|\.wsf</field>
    </rule>
    <rule id="901610" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="901611" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="901612" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.bat|\.chm|\.cmd|\.hta|\.htm|\.html|\.js|\.lnk|\.ps1|\.vbe|\.vbs|\.wsf</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PingCastle\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PingCastle\.exe</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Ping\ Castle</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-scanner\ aclcheck|\-\-scanner\ antivirus|\-\-scanner\ computerversion|\-\-scanner\ foreignusers|\-\-scanner\ laps_bitlocker|\-\-scanner\ localadmin|\-\-scanner\ nullsession|\-\-scanner\ nullsession\-trust|\-\-scanner\ oxidbindings|\-\-scanner\ remote|\-\-scanner\ share|\-\-scanner\ smb|\-\-scanner\ smb3querynetwork|\-\-scanner\ spooler|\-\-scanner\ startup|\-\-scanner\ zerologon</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-no\-enum\-limit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-level\ Full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-server\ )</field>
    </rule>
    <rule id="901613" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1622</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+ProcessHacker_</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ProcessHacker\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ProcessHacker\.exe|Process\ Hacker</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Process\ Hacker</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Process\ Hacker</field>
    </rule>
    <rule id="901614" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1622</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=68F9B52895F4D34E74112F3129B3B00D|MD5=B365AF317AE730A67C936F21432B9C71|SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D|SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E|SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F|SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4|IMPHASH=3695333C60DEDECDCAFF1590409AA462|IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF</field>
    </rule>
    <rule id="901615" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1622</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)68f9b52895f4d34e74112f3129b3b00d|b365af317ae730a67c936f21432b9c71</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e|a0bdfac3ce1880b32ff9b696458327ce352e3b1d</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f|bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)04de0ad9c37eb7bd52043d2ecac958df|3695333c60dedecdcaff1590409aa462</field>
    </rule>
    <rule id="901616" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1072</id>
        </mitre>
        <description>PUA - Radmin Viewer Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Radmin\ Viewer</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Radmin\ Viewer</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Radmin\.exe</field>
    </rule>
    <rule id="901617" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>PUA - Rclone Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-config\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-no\-check\-certificate\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ copy\ )</field>
    </rule>
    <rule id="901618" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1526</id>
            <id>attack.t1087</id>
            <id>attack.t1083</id>
        </mitre>
        <description>PUA - Seatbelt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Seatbelt\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Seatbelt\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Seatbelt</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ DpapiMasterKeys|\ InterestingProcesses|\ InterestingFiles|\ CertificateThumbprints|\ ChromiumBookmarks|\ ChromiumHistory|\ ChromiumPresence|\ CloudCredentials|\ CredEnum|\ CredGuard|\ FirefoxHistory|\ ProcessCreationEvents</field>
    </rule>
    <rule id="901619" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.discovery</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1082</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SystemInformer\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SystemInformer\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)System\ Informer</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)System\ Informer</field>
    </rule>
    <rule id="901620" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.discovery</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1082</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=19426363A37C03C3ED6FEDF57B6696EC|SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC|SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287|IMPHASH=B68908ADAEB5D662F87F2528AF318F12</field>
    </rule>
    <rule id="901621" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.discovery</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1082</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)19426363A37C03C3ED6FEDF57B6696EC</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)B68908ADAEB5D662F87F2528AF318F12</field>
    </rule>
    <rule id="901622" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.003</id>
        </mitre>
        <description>PUA - WebBrowserPassView Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Web\ Browser\ Password\ Viewer</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WebBrowserPassView\.exe)$</field>
    </rule>
    <rule id="901623" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PUA - Wsudo Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsudo\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wsudo\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Windows\ sudo\ utility</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsudo\-bridge\.exe)$</field>
    </rule>
    <rule id="901624" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PUA - Wsudo Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-u\ System|\-uSystem|\-u\ TrustedInstaller|\-uTrustedInstaller|\ \-\-ti\ )</field>
    </rule>
    <rule id="901625" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
        </mitre>
        <description>PUA - Adidnsdump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+python\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)adidnsdump</field>
    </rule>
    <rule id="901626" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Python Inline Command Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)python\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:python\.exe|python3\.exe|python2\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-c</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Python)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+python\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-E\ \-s\ \-m\ ensurepip\ \-U\ \-\-default\-pip</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
    </rule>
    <rule id="901627" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Python Spawning Pretty TTY on Windows</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:python\.exe|python3\.exe|python2\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)import\ pty</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.spawn\(</field>
    </rule>
    <rule id="901628" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Python Spawning Pretty TTY on Windows</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:python\.exe|python3\.exe|python2\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)from\ pty\ import\ spawn</field>
    </rule>
    <rule id="901629" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Query Usage To Exfil Data</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+query\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)session\ &gt;|process\ &gt;</field>
    </rule>
    <rule id="901630" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Rar Usage with Password and Compression Level</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-hp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-m|\ a\ )</field>
    </rule>
    <rule id="901631" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Files Added To An Archive Using Rar.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ a\ )</field>
    </rule>
    <rule id="901632" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Greedy Compression Using Rar.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Command\ line\ RAR</field>
    </rule>
    <rule id="901633" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Greedy Compression Using Rar.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ a\ |\ a\ \-m</field>
    </rule>
    <rule id="901634" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious RASdial Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:rasdial\.exe)$</field>
    </rule>
    <rule id="901635" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Memory Dump via RdrLeakDiag.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)fullmemdmp|/memdmp|\-memdmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-o\ |\ /o\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ |\ /p\ )</field>
    </rule>
    <rule id="901636" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Memory Dump via RdrLeakDiag.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rdrleakdiag\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RdrLeakDiag\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)fullmemdmp|/memdmp|\-memdmp</field>
    </rule>
    <rule id="901637" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1112</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Imports Registry Key From an ADS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regedit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)REGEDIT\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /i\ |\.reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):[^ \\+]</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-e\ )</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-a\ )</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-c\ )</field>
    </rule>
    <rule id="901638" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>Regedit as Trusted Installer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regedit\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+TrustedInstaller\.exe|\\+ProcessHacker\.exe)$</field>
    </rule>
    <rule id="901639" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1112</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Registry Modification Via Regini.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regini\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)REGINI\.EXE</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):[^ \\+]</field>
    </rule>
    <rule id="901640" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574</id>
        </mitre>
        <description>DLL Execution Via Register-cimprovider.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+register\-cimprovider\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-path</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dll</field>
    </rule>
    <rule id="901641" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.002</id>
        </mitre>
        <description>Enumeration for 3rd Party Creds From CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Software\\+SimonTatham\\+PuTTY\\+Sessions|\\+Software\\+SimonTatham\\+PuTTY\\+SshHostKeys\\+|\\+Software\\+Mobatek\\+MobaXterm\\+|\\+Software\\+WOW6432Node\\+Radmin\\+v3\.0\\+Server\\+Parameters\\+Radmin|\\+Software\\+Aerofox\\+FoxmailPreview|\\+Software\\+Aerofox\\+Foxmail\\+V3\.1|\\+Software\\+IncrediMail\\+Identities|\\+Software\\+Qualcomm\\+Eudora\\+CommandLine|\\+Software\\+RimArts\\+B2\\+Settings|\\+Software\\+OpenVPN\-GUI\\+configs|\\+Software\\+Martin\ Prikryl\\+WinSCP\ 2\\+Sessions|\\+Software\\+FTPWare\\+COREFTP\\+Sites|\\+Software\\+DownloadManager\\+Passwords|\\+Software\\+OpenSSH\\+Agent\\+Keys|\\+Software\\+TightVNC\\+Server|\\+Software\\+ORL\\+WinVNC3\\+Password|\\+Software\\+RealVNC\\+WinVNC4</field>
    </rule>
    <rule id="901642" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings\\+ZoneMap\\+ProtocolDefaults</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0</field>
    </rule>
    <rule id="901643" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1037.001</id>
        </mitre>
        <description>Potential Persistence Via Logon Scripts - CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)UserInitMprLogonScript</field>
    </rule>
    <rule id="901644" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Credential Dumping Attempt Using New NetworkProvider - CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+NetworkProvider</field>
    </rule>
    <rule id="901645" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Potential Privilege Escalation via Service Permissions Weakness</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)Medium</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)services</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+ImagePath|\\+FailureCommand|\\+ServiceDll</field>
    </rule>
    <rule id="901646" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Provisioning Registry Key Abuse For Binary Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Provisioning\\+Commands\\+</field>
    </rule>
    <rule id="901647" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via TypedPaths - CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+TypedPaths</field>
    </rule>
    <rule id="901648" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Potential Regsvr32 Commandline Flag Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\ \-i:</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-n\ )</field>
    </rule>
    <rule id="901649" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of Regsvr32</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cscript\.exe|\\+explorer\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+nltest\.exe|\\+notepad\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+reg\.exe|\\+schtasks\.exe|\\+werfault\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+werfault\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-u\ \-p\ )</field>
    </rule>
    <rule id="901650" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Regsvr32 Execution From Highly Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)REGSVR32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+Temp\\+|\\+Windows\\+Registration\\+CRMLog|\\+Windows\\+System32\\+com\\+dmp\\+|\\+Windows\\+System32\\+FxsTmp\\+|\\+Windows\\+System32\\+Microsoft\\+Crypto\\+RSA\\+MachineKeys\\+|\\+Windows\\+System32\\+spool\\+drivers\\+color\\+|\\+Windows\\+System32\\+spool\\+PRINTERS\\+|\\+Windows\\+System32\\+spool\\+SERVERS\\+|\\+Windows\\+System32\\+Tasks_Migrated\\+|\\+Windows\\+System32\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|\\+Windows\\+SysWOW64\\+com\\+dmp\\+|\\+Windows\\+SysWOW64\\+FxsTmp\\+|\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+PLA\\+System\\+|\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|\\+Windows\\+Tasks\\+|\\+Windows\\+Tracing\\+</field>
    </rule>
    <rule id="901651" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Regsvr32 Execution From Highly Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)REGSVR32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ "C:\\+|\ C:\\+|\ 'C:\\+|D:\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ "C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ 'C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901652" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Scripting/CommandLine Process Spawned Regsvr32</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+cmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /s\ C:\\+Windows\\+System32\\+RpcProxy\\+RpcProxy\.dll)$</field>
    </rule>
    <rule id="901653" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574</id>
            <id>attack.execution</id>
        </mitre>
        <description>Regsvr32 DLL Execution With Uncommon Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)REGSVR32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.ax</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.ocx</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="901654" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574</id>
            <id>attack.execution</id>
        </mitre>
        <description>Regsvr32 DLL Execution With Uncommon Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)REGSVR32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.ppl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.bav</field>
    </rule>
    <rule id="901655" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Potential Persistence Attempt Via Run Keys Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ ADD\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run</field>
    </rule>
    <rule id="901656" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Reg Add BitLocker</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ADD</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Policies\\+Microsoft\\+FVE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)EnableBDEWithNoTPM|UseAdvancedStartup|UseTPM|UseTPMKey|UseTPMKeyPIN|RecoveryKeyMessageSource|UseTPMPIN|RecoveryKeyMessage</field>
    </rule>
    <rule id="901657" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1556.002</id>
        </mitre>
        <description>Dropping Of Password Filter DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+Lsa</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)scecli\\+0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg\ add</field>
    </rule>
    <rule id="901658" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+Paths|SOFTWARE\\+Microsoft\\+Microsoft\ Antimalware\\+Exclusions\\+Paths</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:ADD\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/t\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:REG_DWORD\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/v\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0</field>
    </rule>
    <rule id="901659" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ NoChangingWallpaper</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 1</field>
    </rule>
    <rule id="901660" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ Wallpaper</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
    </rule>
    <rule id="901661" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ WallpaperStyle</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 2</field>
    </rule>
    <rule id="901662" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Security Service Disabled Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)d\ 4</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)v\ Start</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppIDSvc|\\+MsMpSvc|\\+NisSrv|\\+SecurityHealthService|\\+Sense|\\+UsoSvc|\\+WdBoot|\\+WdFilter|\\+WdNisDrv|\\+WdNisSvc|\\+WinDefend|\\+wscsvc|\\+wuauserv</field>
    </rule>
    <rule id="901663" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.002</id>
        </mitre>
        <description>Enumeration for Credentials in Registry</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ query\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/t\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/s</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKLM</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKCU</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKCU\\+Software\\+SimonTatham\\+PuTTY\\+Sessions</field>
    </rule>
    <rule id="901664" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RestrictedAdminMode Registry Value Tampering - ProcCreation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+Lsa\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DisableRestrictedAdmin</field>
    </rule>
    <rule id="901665" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Query of MachineGUID</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Cryptography</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/v\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MachineGuid</field>
    </rule>
    <rule id="901666" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Enable LM Hash Storage - ProcCreation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+Lsa</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)NoLMHash</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0</field>
    </rule>
    <rule id="901667" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Suspicious Reg Add Open Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hkcu\\+software\\+classes\\+ms\-settings\\+shell\\+open\\+command</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/ve\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d</field>
    </rule>
    <rule id="901668" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Suspicious Reg Add Open Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hkcu\\+software\\+classes\\+ms\-settings\\+shell\\+open\\+command</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DelegateExecute</field>
    </rule>
    <rule id="901669" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Suspicious Reg Add Open Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hkcu\\+software\\+classes\\+ms\-settings</field>
    </rule>
    <rule id="901670" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Tampering With RDP Related Registry Keys Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Terminal\ Server</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG_DWORD</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Licensing\ Core</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)EnableConcurrentSessions</field>
    </rule>
    <rule id="901671" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Tampering With RDP Related Registry Keys Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Terminal\ Server</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG_DWORD</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinStations\\+RDP\-Tcp|MaxInstanceCount|fEnableWinStation|TSUserEnabled|TSEnabled|TSAppCompat|IdleWinStationPoolCount|TSAdvertise|AllowTSConnections|fSingleSessionPerUser|fDenyTSConnections</field>
    </rule>
    <rule id="901672" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ ScreenSaveActive</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 1</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901673" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ ScreenSaveTimeout</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901674" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ ScreenSaverIsSecure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901675" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ SCRNSAVE\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.scr</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901676" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1518</id>
        </mitre>
        <description>Detected Windows Software Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)query</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+software\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)svcversion</field>
    </rule>
    <rule id="901677" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled Volume Snapshots</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Services\\+VSS\\+Diag</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ Disabled</field>
    </rule>
    <rule id="901678" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Windows Defender Registry Key Tampering Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)d\ 0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DisallowExploitProtectionOverride|EnableControlledFolderAccess|MpEnablePus|PUAProtection|SpynetReporting|SubmitSamplesConsent|TamperProtection</field>
    </rule>
    <rule id="901679" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Windows Defender Registry Key Tampering Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)d\ 1</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DisableAntiSpyware|DisableAntiSpywareRealtimeProtection|DisableAntiVirus|DisableArchiveScanning|DisableBehaviorMonitoring|DisableBlockAtFirstSeen|DisableConfig|DisableEnhancedNotifications|DisableIntrusionPreventionSystem|DisableIOAVProtection|DisableOnAccessProtection|DisablePrivacyMode|DisableRealtimeMonitoring|DisableRoutinelyTakingAction|DisableScanOnRealtimeEnable|DisableScriptScanning|Notification_Suppress|SignatureDisableUpdateOnStartupWithoutEngine</field>
    </rule>
    <rule id="901680" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Write Protect For Storage Disabled</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Write\ Protection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)storage</field>
    </rule>
    <rule id="901681" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AnyDesk\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)AnyDesk</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)AnyDesk</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)AnyDesk\ Software\ GmbH</field>
    </rule>
    <rule id="901682" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Piped Password Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:echo\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-\-set\-password</field>
    </rule>
    <rule id="901683" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AnyDesk\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)AnyDesk</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)AnyDesk</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)AnyDesk\ Software\ GmbH</field>
        <field name="win.eventdata.fileVersion" negate="no" type="pcre2">(?i)^(?:7\.0\.|7\.1\.|8\.0\.1|8\.0\.2|8\.0\.3|8\.0\.4|8\.0\.5|8\.0\.6|8\.0\.7)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-\-remove</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-\-uninstall</field>
    </rule>
    <rule id="901684" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Silent Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-install</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-start\-with\-win</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-silent</field>
    </rule>
    <rule id="901685" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - Anydesk Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AnyDesk\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)AnyDesk</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)AnyDesk</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)AnyDesk\ Software\ GmbH</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Program\ Files\ $x86$\\+AnyDesk</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Program\ Files\\+AnyDesk</field>
    </rule>
    <rule id="901686" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - GoToAssist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)GoTo\ Opener</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)GoTo\ Opener</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)LogMeIn,\ Inc\.</field>
    </rule>
    <rule id="901687" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - LogMeIn Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)LMIGuardianSvc</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)LMIGuardianSvc</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)LogMeIn,\ Inc\.</field>
    </rule>
    <rule id="901688" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - NetSupport Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)NetSupport\ Client\ Configurator</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)NetSupport\ Remote\ Control</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)NetSupport\ Ltd</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PCICFGUI\.EXE</field>
    </rule>
    <rule id="901689" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Remote Access Tool - NetSupport Execution From Unusual Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+client32\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)NetSupport\ Remote\ Control</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)client32\.exe</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)a9d50692e95b79723f3e76fcf70d023e</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=a9d50692e95b79723f3e76fcf70d023e</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="901690" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Remote Access Tool - RURAT Execution From Unusual Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rutserv\.exe|\\+rfusclient\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Remote\ Utilities</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Remote\ Utilities)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Remote\ Utilities)</field>
    </rule>
    <rule id="901691" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)ScreenConnect\ Service</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)ScreenConnect</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)ScreenConnect\ Software</field>
    </rule>
    <rule id="901692" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Installation Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)e=Access\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)y=Guest\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;p=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;c=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;k=</field>
    </rule>
    <rule id="901693" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Windows\\+TEMP\\+ScreenConnect\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)run\.cmd</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe|\\+cmd\.exe|\\+curl\.exe|\\+dllhost\.exe|\\+net\.exe|\\+nltest\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+rundll32\.exe|\\+wevtutil\.exe)$</field>
    </rule>
    <rule id="901694" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Server Web Shell Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ScreenConnect\.Service\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+csc\.exe)$</field>
    </rule>
    <rule id="901695" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - Simple Help Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+JWrapper\-Remote\ Access\\+|\\+JWrapper\-Remote\ Support\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SimpleService\.exe)$</field>
    </rule>
    <rule id="901696" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Remote Access Tool - Team Viewer Session Started On Windows Host</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)TeamViewer_Desktop\.exe</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)TeamViewer_Service\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:TeamViewer_Desktop\.exe\ \-\-IPCport\ 5939\ \-\-Module\ 1)$</field>
    </rule>
    <rule id="901697" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - UltraViewer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)UltraViewer</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)DucFabulous\ Co,ltd</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)UltraViewer_Desktop\.exe</field>
    </rule>
    <rule id="901698" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1124</id>
        </mitre>
        <description>Discovery of a System Time</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)time</field>
    </rule>
    <rule id="901699" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1124</id>
        </mitre>
        <description>Discovery of a System Time</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+w32tm\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tz</field>
    </rule>
    <rule id="901700" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)domainlist|trustdmp|dcmodes|adinfo|\ dclist\ |computer_pwdnotreqd|objectcategory=|\-subnets\ \-f|name="Domain\ Admins"|\-sc\ u:|domainncs|dompol|\ oudmp\ |subnetdmp|gpodmp|fspdmp|users_noexpire|computers_active|computers_pwdnotreqd</field>
    </rule>
    <rule id="901701" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)bca5675746d13a1f246e2da3c2217492|53e117a96057eaf19c41380d0e87f1c2</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=BCA5675746D13A1F246E2DA3C2217492|IMPHASH=53E117A96057EAF19C41380D0E87F1C2</field>
    </rule>
    <rule id="901702" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AdFind\.exe</field>
    </rule>
    <rule id="901703" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AdFind\.exe)$</field>
    </rule>
    <rule id="901704" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Renamed AutoHotkey.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)AutoHotkey</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)AutoHotkey</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AutoHotkey\.exe|AutoHotkey\.rc</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey32_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey64_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyA32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyA32_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU32_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU64_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AutoHotkey</field>
    </rule>
    <rule id="901705" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /AutoIt3ExecuteScript|\ /ErrorStdOut</field>
    </rule>
    <rule id="901706" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)fdc554b3a8683918d731685855683ddf|cd30a61b60b3d60cecdb034c8c83c290|f8a00c72f2d667d2edbb234d0c0ae000</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=FDC554B3A8683918D731685855683DDF|IMPHASH=CD30A61B60B3D60CECDB034C8C83C290|IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000</field>
    </rule>
    <rule id="901707" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)AutoIt3\.exe|AutoIt2\.exe|AutoIt\.exe</field>
    </rule>
    <rule id="901708" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt3_x64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt3\.exe)$</field>
    </rule>
    <rule id="901709" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential Defense Evasion Via Binary Rename</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe|CONHOST\.EXE|7z\.exe|WinRAR\.exe|wevtutil\.exe|net\.exe|net1\.exe|netsh\.exe|InstallUtil\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+7z\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WinRAR\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+InstallUtil\.exe)$</field>
    </rule>
    <rule id="901710" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Potential Defense Evasion Via Rename Of Highly Relevant Binaries</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Execute\ processes\ remotely</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Sysinternals\ PsExec</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Windows\ PowerShell|pwsh)</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)certutil\.exe|cmstp\.exe|cscript\.exe|mshta\.exe|msiexec\.exe|powershell_ise\.exe|powershell\.exe|psexec\.c|psexec\.exe|psexesvc\.exe|pwsh\.dll|reg\.exe|regsvr32\.exe|rundll32\.exe|WerMgr|wmic\.exe|wscript\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+certutil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psexec64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PSEXESVC\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
    </rule>
    <rule id="901711" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1528</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed BrowserCore.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)BrowserCore\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+BrowserCore\.exe)$</field>
    </rule>
    <rule id="901712" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cleanup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-connector\-id\ )</field>
    </rule>
    <rule id="901713" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ run\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-credentials\-contents\ |\-credentials\-file\ |\-token\ )</field>
    </rule>
    <rule id="901714" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-url</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel</field>
    </rule>
    <rule id="901715" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29|SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8|SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039|SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28|SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7|SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373|SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670|SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a|SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0|SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1|SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2|SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac|SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f|SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d|SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499|SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b|SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f|SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032|SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234|SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f|SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058|SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c|SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f|SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5|SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3|SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4|SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c|SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4|SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f|SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad|SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7|SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75|SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6|SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688|SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f|SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663|SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77|SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078</field>
    </rule>
    <rule id="901716" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cloudflared\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cloudflared\-windows\-386\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cloudflared\-windows\-amd64\.exe)$</field>
    </rule>
    <rule id="901717" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Renamed CreateDump Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)FX_VER_INTERNALNAME_STR</field>
    </rule>
    <rule id="901718" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Renamed CreateDump Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-full\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-name\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="901719" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Renamed CreateDump Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+createdump\.exe)$</field>
    </rule>
    <rule id="901720" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_curl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed CURL.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)curl\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)The\ curl\ executable</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+curl</field>
    </rule>
    <rule id="901721" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1055.001</id>
            <id>attack.t1202</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Renamed ZOHO Dctask64 Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)6834B1B94E49701D77CCB3C0895E1AFD</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dctask64\.exe)$</field>
    </rule>
    <rule id="901722" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed FTP.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ftp\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ftp\.exe)$</field>
    </rule>
    <rule id="901723" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Renamed Gpg.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)gpg\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+gpg\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+gpg2\.exe)$</field>
    </rule>
    <rule id="901724" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed Jusched.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Java\ Update\ Scheduler|Java$TM$\ Update\ Scheduler</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+jusched\.exe)$</field>
    </rule>
    <rule id="901725" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.001</id>
            <id>attack.t1218.013</id>
        </mitre>
        <description>Renamed Mavinject.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)mavinject32\.exe|mavinject64\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mavinject32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mavinject64\.exe)$</field>
    </rule>
    <rule id="901726" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Renamed MegaSync Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)megasync\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+megasync\.exe)$</field>
    </rule>
    <rule id="901727" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed Msdt.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)msdt\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
    </rule>
    <rule id="901728" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Renamed NetSupport RAT Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)NetSupport\ Remote\ Control</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)client32\.exe</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)a9d50692e95b79723f3e76fcf70d023e</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=A9D50692E95B79723F3E76FCF70D023E</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+client32\.exe)$</field>
    </rule>
    <rule id="901729" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed NirCmd.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)NirCmd\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+nircmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+nircmdc\.exe)$</field>
    </rule>
    <rule id="901730" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Renamed Office Binary Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Excel\.exe|MSACCESS\.EXE|MSPUB\.EXE|OneNote\.exe|OneNoteM\.exe|OUTLOOK\.EXE|POWERPNT\.EXE|WinWord\.exe</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Microsoft\ Access|Microsoft\ Excel|Microsoft\ OneNote|Microsoft\ Outlook|Microsoft\ PowerPoint|Microsoft\ Publisher|Microsoft\ Word|Sent\ to\ OneNote\ Tool</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+EXCEL\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excelcnv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MSACCESS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MSPUB\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ONENOTE\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ONENOTEM\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+POWERPNT\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WINWORD\.exe)$</field>
    </rule>
    <rule id="901731" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed PAExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)PAExec\ Application</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PAExec\.exe</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)PAExec</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)11D40A7B7876288F919AB819CC2D9802|6444f8a34e99b8f7d9647de66aabe516|dfd6aa3f7b2b1035b76b718f1ddc689f|1a6cca4d5460b1710a12dea39e4a592c</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=11D40A7B7876288F919AB819CC2D9802|IMPHASH=6444f8a34e99b8f7d9647de66aabe516|IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f|IMPHASH=1a6cca4d5460b1710a12dea39e4a592c</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+paexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+PAExec\-)</field>
    </rule>
    <rule id="901732" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed PingCastle Binary Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PingCastleReporting\.exe|PingCastleCloud\.exe|PingCastle\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-scanner\ aclcheck|\-\-scanner\ antivirus|\-\-scanner\ computerversion|\-\-scanner\ foreignusers|\-\-scanner\ laps_bitlocker|\-\-scanner\ localadmin|\-\-scanner\ nullsession|\-\-scanner\ nullsession\-trust|\-\-scanner\ oxidbindings|\-\-scanner\ remote|\-\-scanner\ share|\-\-scanner\ smb|\-\-scanner\ smb3querynetwork|\-\-scanner\ spooler|\-\-scanner\ startup|\-\-scanner\ zerologon</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-no\-enum\-limit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-level\ Full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-server\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PingCastleReporting\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PingCastleCloud\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PingCastle\.exe)$</field>
    </rule>
    <rule id="901733" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Renamed Plink Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Plink</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-l\ forward</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-P\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-R\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+plink\.exe)$</field>
    </rule>
    <rule id="901734" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Visual Studio NodejsTools PressAnyKey Renamed Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Microsoft\.NodejsTools\.PressAnyKey\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.NodejsTools\.PressAnyKey\.exe)$</field>
    </rule>
    <rule id="901735" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Potential Renamed Rundll32 Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DllRegisterServer</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
    </rule>
    <rule id="901736" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.collection</id>
            <id>attack.command_and_control</id>
            <id>attack.discovery</id>
            <id>attack.s0592</id>
        </mitre>
        <description>Renamed Remote Utilities RAT (RURAT) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Remote\ Utilities</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rutserv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rfusclient\.exe)$</field>
    </rule>
    <rule id="901737" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Renamed SysInternals DebugView Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Sysinternals\ DebugView</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)Dbgview\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Dbgview\.exe)$</field>
    </rule>
    <rule id="901738" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed ProcDump Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)procdump</field>
    </rule>
    <rule id="901739" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed ProcDump Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ma\ |\ /ma\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-accepteula\ |\ /accepteula\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump64\.exe)$</field>
    </rule>
    <rule id="901740" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Renamed PsExec Service Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)psexesvc\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+PSEXESVC\.exe</field>
    </rule>
    <rule id="901741" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1485</id>
        </mitre>
        <description>Renamed Sysinternals Sdelete Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sdelete\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sdelete\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sdelete64\.exe)$</field>
    </rule>
    <rule id="901742" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Renamed Vmnat.exe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)vmnat\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:vmnat\.exe)$</field>
    </rule>
    <rule id="901743" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Renamed Whoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)whoami\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
    </rule>
    <rule id="901744" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Capture Credentials with Rpcping.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rpcping\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-s</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-u|NTLM</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-t|ncacn_np</field>
    </rule>
    <rule id="901745" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Suspicious Call by Ordinal</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RUNDLL32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i),\#|,\ \#|\.dll\ \#|\.ocx\ \#</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)EDGEHTML\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\#141</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Msbuild\\+Current\\+Bin\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+VC\\+Tools\\+MSVC\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Tracker\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker32\.dll,\#1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker32\.dll",\#1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker64\.dll,\#1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker64\.dll",\#1</field>
    </rule>
    <rule id="901746" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Suspicious Rundll32 Invoking Inline VBScript</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Execute</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RegRead</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)window\.close</field>
    </rule>
    <rule id="901747" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Mshtml.DLL RunHTMLApplication Suspicious Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+\.\.\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshtml</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\#135|RunHTMLApplication</field>
    </rule>
    <rule id="901748" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Rundll32 Execution Without CommandLine Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+rundll32\.exe"|\\+rundll32)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Edge\\+</field>
    </rule>
    <rule id="901749" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Rundll32 Spawned Via Explorer.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RUNDLL32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-localserver\ 22d8c27b\-47a1\-48d1\-ad08\-7da7abd79617)$</field>
    </rule>
    <rule id="901750" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Process Memory Dump Via Comsvcs.DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RUNDLL32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\#\-|\#\+|\#24|24\ |MiniDump</field>
    </rule>
    <rule id="901751" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Process Memory Dump Via Comsvcs.DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RUNDLL32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
    </rule>
    <rule id="901752" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Process Memory Dump Via Comsvcs.DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)24</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \#|,\#|,\ \#</field>
    </rule>
    <rule id="901753" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>car.2013-05-002</id>
        </mitre>
        <description>Suspicious Process Start Locations</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+RECYCLER\\+|:\\+SystemVolumeInformation\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Tasks\\+|C:\\+Windows\\+debug\\+|C:\\+Windows\\+fonts\\+|C:\\+Windows\\+help\\+|C:\\+Windows\\+drivers\\+|C:\\+Windows\\+addins\\+|C:\\+Windows\\+cursors\\+|C:\\+Windows\\+system32\\+tasks\\+)</field>
    </rule>
    <rule id="901754" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Suspicious Rundll32 Setupapi.dll Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+runonce\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)setupapi\.dll</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)InstallHinfSection</field>
    </rule>
    <rule id="901755" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>RunDLL32 Spawning Explorer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+shell32\.dll,Control_RunDLL</field>
    </rule>
    <rule id="901756" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Potentially Suspicious Rundll32 Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)javascript:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.RegisterXLL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)url\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)url\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURLA</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)url\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)FileProtocolHandler</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)zipfldr\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RouteTheCall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control_RunDLL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShellExec_RunDLL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshtml\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)PrintHTML</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)advpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchINFSection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)advpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RegisterOCX</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ieadvpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchINFSection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ieadvpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RegisterOCX</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ieframe\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shdocvw\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)syssetup\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SetupInfObjectInstallAction</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)setupapi\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)InstallHinfSection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)pcwutl\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchApplication</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dfshim\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShOpenVerbApplication</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dfshim\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShOpenVerbShortcut</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)scrobj\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)GenerateTypeLib</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shimgvw\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ImageView_Fullscreen</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MiniDump</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)shell32\.dll,Control_RunDLL\ desk\.cpl,screensaver,@screensaver</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+control\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\.cpl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Shell32\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Control_RunDLL</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+control\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+rundll32\.exe"\ Shell32\.dll,Control_RunDLL\ "C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.cpl",)$</field>
    </rule>
    <rule id="901757" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Suspicious Control Panel DLL Load</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+System32\\+control\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RUNDLL32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Shell32\.dll</field>
    </rule>
    <rule id="901758" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>ShimCache Flush</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)apphelp\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShimFlushCache|\#250</field>
    </rule>
    <rule id="901759" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>ShimCache Flush</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)apphelp\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)kernel32\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)BaseFlushAppcompatCache|\#46</field>
    </rule>
    <rule id="901760" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Rundll32 Execution With Uncommon DLL Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RUNDLL32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.cpl\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl,</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl'</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll,</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll'</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.inf\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.inf,</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.inf"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.inf'</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.cpl)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.inf)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-localserver\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+Installer\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)zzzzInvokeManagedCustomActionOutOfProc</field>
    </rule>
    <rule id="901761" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
            <id>cve.2023.23397</id>
        </mitre>
        <description>Suspicious WebDav Client Execution Via Rundll32.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-s\ WebClient</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+windows\\+system32\\+davclnt\.dll,DavSetCookie</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://10\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://192\.168\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.16\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.17\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.18\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.19\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.20\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.21\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.22\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.23\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.24\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.25\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.26\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.27\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.28\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.29\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.30\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.31\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://127\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://169\.254\.</field>
    </rule>
    <rule id="901762" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1570</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Rundll32 Execution Without Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32\.exe|rundll32</field>
    </rule>
    <rule id="901763" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Schtasks Execution AppData Folder</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/RU</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/TR</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:NT\ AUT|\ SYSTEM\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)TeamViewer_\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/TN\ TVInstallRestore</field>
    </rule>
    <rule id="901764" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1053.005</id>
            <id>attack.s0111</id>
            <id>car.2013-08-001</id>
            <id>stp.1u</id>
        </mitre>
        <description>Scheduled Task Creation Via Schtasks.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /create\ )</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="901765" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Scheduled Task Creation Involving Temp Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /sc\ once\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Temp\\+</field>
    </rule>
    <rule id="901766" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Delete All Scheduled Tasks</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /delete\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/tn\ \\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /f</field>
    </rule>
    <rule id="901767" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Schtasks From Env Var Folder</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs|:\\+Windows\\+Temp|\\+AppData\\+Local\\+|\\+AppData\\+Roaming\\+|\\+Users\\+Public|%AppData%|%Public%</field>
    </rule>
    <rule id="901768" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Schtasks From Env Var Folder</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ Schedule)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs|:\\+Windows\\+Temp|\\+Users\\+Public|%Public%</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)update_task\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/Create\ /TN\ TVInstallRestore\ /TR</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)unattended\.ini</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/Create\ /Xml\ "C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+\.CR\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Avira_Security_Installation\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/Create\ /F\ /TN</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/Xml\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+is\-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Avira_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+UpdateFallbackTask\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+WatchdogServiceControlManagerTimeout\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+SystrayAutostart\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+MaintenanceTask\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/Create\ /TN\ "klcp_update"\ /XML\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+klcp_update_task\.xml</field>
    </rule>
    <rule id="901769" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Add Scheduled Task Parent</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/Create\ )</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+|\\+AppData\\+Roaming\\+|\\+Temporary\ Internet|\\+Users\\+Public\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)update_task\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)unattended\.ini</field>
    </rule>
    <rule id="901770" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Persistence Via Powershell Search Order Hijacking - Task</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+WINDOWS\\+System32\\+svchost\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-k\ netsvcs</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-s\ Schedule</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-windowstyle\ hidden|\ \-w\ hidden|\ \-ep\ bypass|\ \-noni)$</field>
    </rule>
    <rule id="901771" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Scheduled Task Executing Payload from Registry</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)schtasks\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Get\-ItemProperty|\ gp\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKCU:|HKLM:|registry::|HKEY_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)FromBase64String</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)encodedcommand</field>
    </rule>
    <rule id="901772" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Schtasks Schedule Types</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)schtasks\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ ONLOGON\ |\ ONSTART\ |\ ONCE\ |\ ONIDLE\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)NT\ AUT</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ SYSTEM</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)HIGHEST</field>
    </rule>
    <rule id="901773" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1036.005</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Scheduled Task Creation via Masqueraded XML File</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)schtasks\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/create|\-create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/xml|\-xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.xml</field>
        <field name="win.eventdata.integrityLevel" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+Installer\\+MSI</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\.tmp,zzzzInvokeManagedCustomActionOutOfProc</field>
    </rule>
    <rule id="901774" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1036.005</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Scheduled Task Creation via Masqueraded XML File</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)schtasks\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/create|\-create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/xml|\-xml</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+ProgramData\\+OEM\\+UpgradeTool\\+CareCenter_.+\\+BUnzip\\+Setup_msi\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Axis\ Communications\\+AXIS\ Camera\ Station\\+SetupActions\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Axis\ Communications\\+AXIS\ Device\ Manager\\+AdmSetupActions\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Zemana\\+AntiMalware\\+AntiMalware\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Dell\\+SupportAssist\\+pcdrcui\.exe)$</field>
    </rule>
    <rule id="901775" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Command Patterns In Scheduled Task Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/Create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/sc\ minute\ |/ru\ system\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\ /c|cmd\ /k|cmd\ /r|cmd\.exe\ /c\ |cmd\.exe\ /k\ |cmd\.exe\ /r\ )</field>
    </rule>
    <rule id="901776" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Command Patterns In Scheduled Task Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/Create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/sc\ minute\ |/ru\ system\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-decode\ |\ \-enc\ |\ \-w\ hidden\ |\ bypass\ |\ IEX|\.DownloadData|\.DownloadFile|\.DownloadString|/c\ start\ /min\ |FromBase64String|mshta\ http|mshta\.exe\ http</field>
    </rule>
    <rule id="901777" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Schtasks Creation Or Modification With SYSTEM Privileges</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /change\ |\ /create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/ru\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:NT\ AUT|\ SYSTEM\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/TN\ TVInstallRestore</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+TeamViewer_\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/Create\ /F\ /RU\ System\ /SC\ WEEKLY\ /TN\ AviraSystemSpeedupVerify\ /TR\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Avira\\+System\ Speedup\\+setup\\+avira_speedup_setup\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/VERIFY\ /VERYSILENT\ /NOSTART\ /NODOTNET\ /NORESTART"\ /RL\ HIGHEST</field>
    </rule>
    <rule id="901778" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Script Event Consumer Spawning Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+scrcons\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe|\\+dllhost\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+schtasks\.exe|\\+regsvr32\.exe|\\+mshta\.exe|\\+rundll32\.exe|\\+msiexec\.exe|\\+msbuild\.exe)$</field>
    </rule>
    <rule id="901779" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Possible Privilege Escalation via Weak Service Permissions</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)Medium</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
    </rule>
    <rule id="901780" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Possible Privilege Escalation via Weak Service Permissions</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)Medium</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)failure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)command</field>
    </rule>
    <rule id="901781" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>New Service Creation Using Sc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
    </rule>
    <rule id="901782" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>New Kernel Driver Via SC.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create|config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)type</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)kernel</field>
    </rule>
    <rule id="901783" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious Service Path Modification</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|cmd\ |mshta|wscript|cscript|rundll32|svchost|dllhost|cmd\.exe\ /c|cmd\.exe\ /k|cmd\.exe\ /r|cmd\ /c|cmd\ /k|cmd\ /r|C:\\+Users\\+Public|\\+Downloads\\+|\\+Desktop\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+|C:\\+Windows\\+TEMP\\+|\\+AppData\\+Local\\+Temp</field>
    </rule>
    <rule id="901784" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Potential Persistence Attempt Via Existing Service Tampering</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:sc\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:config\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binpath=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:sc\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)failure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)command=</field>
    </rule>
    <rule id="901785" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Shim Database Persistence via Sdbinst.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sdbinst\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sdbinst\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.sdb</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+IIS\ Express\\+iisexpressshim\.sdb</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+IIS\ Express\\+iisexpressshim\.sdb</field>
    </rule>
    <rule id="901786" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Uncommon Extension Shim Database Installation Via Sdbinst.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sdbinst\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sdbinst\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.sdb</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-c)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-f)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-mm)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-t)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-m\ \-bg</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="901787" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Sdclt Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sdclt\.exe)$</field>
    </rule>
    <rule id="901788" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Sdiagnhost Calling Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe|\\+mshta\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+taskkill\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+calc\.exe)$</field>
    </rule>
    <rule id="901789" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1562.002</id>
            <id>attack.t1547.001</id>
            <id>attack.t1505.005</id>
            <id>attack.t1556.002</id>
            <id>attack.t1562</id>
            <id>attack.t1574.007</id>
            <id>attack.t1564.002</id>
            <id>attack.t1546.008</id>
            <id>attack.t1546.007</id>
            <id>attack.t1547.014</id>
            <id>attack.t1547.010</id>
            <id>attack.t1547.002</id>
            <id>attack.t1557</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Potential Suspicious Activity Using SeCEdit</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+secedit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SeCEdit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/export</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/cfg</field>
    </rule>
    <rule id="901790" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1562.002</id>
            <id>attack.t1547.001</id>
            <id>attack.t1505.005</id>
            <id>attack.t1556.002</id>
            <id>attack.t1562</id>
            <id>attack.t1574.007</id>
            <id>attack.t1564.002</id>
            <id>attack.t1546.008</id>
            <id>attack.t1546.007</id>
            <id>attack.t1547.014</id>
            <id>attack.t1547.010</id>
            <id>attack.t1547.002</id>
            <id>attack.t1557</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Potential Suspicious Activity Using SeCEdit</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+secedit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SeCEdit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/configure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/db</field>
    </rule>
    <rule id="901791" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
            <id>cve.2021.35211</id>
        </mitre>
        <description>Suspicious Serv-U Process Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Serv\-U\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+sh\.exe|\\+bash\.exe|\\+schtasks\.exe|\\+regsvr32\.exe|\\+wmic\.exe|\\+mshta\.exe|\\+rundll32\.exe|\\+msiexec\.exe|\\+forfiles\.exe|\\+scriptrunner\.exe)$</field>
    </rule>
    <rule id="901792" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1529</id>
        </mitre>
        <description>Suspicious Execution of Shutdown</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+shutdown\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/r\ |/s\ )</field>
    </rule>
    <rule id="901793" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1529</id>
        </mitre>
        <description>Suspicious Execution of Shutdown to Log Out</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+shutdown\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/l</field>
    </rule>
    <rule id="901794" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Uncommon Child Processes Of SndVol.exe</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+SndVol\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ shell32\.dll,Control_RunDLL\ )</field>
    </rule>
    <rule id="901795" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1123</id>
        </mitre>
        <description>Audio Capture via SoundRecorder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SoundRecorder\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/FILE</field>
    </rule>
    <rule id="901796" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Splwow64 Without Params</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+splwow64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:splwow64\.exe)$</field>
    </rule>
    <rule id="901797" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpupdate\.exe|\\+whoami\.exe|\\+nltest\.exe|\\+taskkill\.exe|\\+wmic\.exe|\\+taskmgr\.exe|\\+sc\.exe|\\+findstr\.exe|\\+curl\.exe|\\+wget\.exe|\\+certutil\.exe|\\+bitsadmin\.exe|\\+accesschk\.exe|\\+wevtutil\.exe|\\+bcdedit\.exe|\\+fsutil\.exe|\\+cipher\.exe|\\+schtasks\.exe|\\+write\.exe|\\+wuauclt\.exe|\\+systeminfo\.exe|\\+reg\.exe|\\+query\.exe)$</field>
    </rule>
    <rule id="901798" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)start</field>
    </rule>
    <rule id="901799" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.spl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)route\ add</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)program\ files</field>
    </rule>
    <rule id="901800" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)add\ portopening</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)rule\ name</field>
    </rule>
    <rule id="901801" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.spl</field>
    </rule>
    <rule id="901802" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Process Proxy Execution Via Squirrel.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+squirrel\.exe|\\+update\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-processStart|\-\-processStartAndWait|\-\-createShortcut</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Discord\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-\-processStart</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Discord\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)GitHubDesktop\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-createShortcut</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-processStartAndWait</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Teams\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-processStart</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-createShortcut</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+yammerdesktop\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Yammer\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-processStart</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-createShortcut</field>
    </rule>
    <rule id="901803" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1572</id>
            <id>attack.t1021.001</id>
            <id>attack.t1021.004</id>
        </mitre>
        <description>Port Forwarding Activity Via SSH.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ssh\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-R\ )</field>
    </rule>
    <rule id="901804" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Potential RDP Tunneling Via SSH</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ssh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):3389</field>
    </rule>
    <rule id="901805" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.persistence</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Potential Amazon SSM Agent Hijacking</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+amazon\-ssm\-agent\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-register\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-code\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-id\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-region\ )</field>
    </rule>
    <rule id="901806" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execution via stordiag.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+stordiag\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe|\\+systeminfo\.exe|\\+fltmc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:c:\\+windows\\+system32\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:c:\\+windows\\+syswow64\\+)</field>
    </rule>
    <rule id="901807" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Start of NT Virtual DOS Machine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ntvdm\.exe|\\+csrstub\.exe)$</field>
    </rule>
    <rule id="901808" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>Abused Debug Privilege by Arbitrary Parent Processes</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+winlogon\.exe|\\+services\.exe|\\+lsass\.exe|\\+csrss\.exe|\\+smss\.exe|\\+wininit\.exe|\\+spoolsv\.exe|\\+searchindexer\.exe)$</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll|Cmd\.Exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ route\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ ADD\ )</field>
    </rule>
    <rule id="901809" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:type\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ &gt;\ )</field>
    </rule>
    <rule id="901810" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:makecab\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
    </rule>
    <rule id="901811" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:reg\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ export\ )</field>
    </rule>
    <rule id="901812" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regedit\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /E\ )</field>
    </rule>
    <rule id="901813" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:esentutl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /y\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /o\ )</field>
    </rule>
    <rule id="901814" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Always Install Elevated Windows Installer</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Windows\\+Installer\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)msi</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:tmp)$</field>
    </rule>
    <rule id="901815" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Always Install Elevated Windows Installer</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)System</field>
    </rule>
    <rule id="901816" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Always Install Elevated Windows Installer</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+services\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+system32\\+msiexec\.exe\ /V)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)(?:\\+system32\\+msiexec\.exe\ /V)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Sophos\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Avira\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Avast\ Software\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Avast\ Software\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Update\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Update\\+)</field>
    </rule>
    <rule id="901817" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Windows App Activity</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901818" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Windows App Activity</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\ /c|Invoke\-|Base64</field>
    </rule>
    <rule id="901819" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Windows App Activity</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WindowsApps\\+Microsoft\.WindowsTerminal</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WindowsTerminal\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
    </rule>
    <rule id="901820" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1204</id>
            <id>attack.t1566.001</id>
            <id>attack.execution</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Arbitrary Shell Command Execution Via Settingcontent-Ms</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.SettingContent\-ms</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)immersivecontrolpanel</field>
    </rule>
    <rule id="901821" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566</id>
        </mitre>
        <description>Phishing Pattern ISO in Archive</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Winrar\.exe|\\+7zFM\.exe|\\+peazip\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+isoburn\.exe|\\+PowerISO\.exe|\\+ImgBurn\.exe)$</field>
    </rule>
    <rule id="901822" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1119</id>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Automated Collection Command Prompt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.doc|\.docx|\.xls|\.xlsx|\.ppt|\.pptx|\.rtf|\.pdf|\.txt</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /b\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /s\ )</field>
    </rule>
    <rule id="901823" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1119</id>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Automated Collection Command Prompt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.doc|\.docx|\.xls|\.xlsx|\.ppt|\.pptx|\.rtf|\.pdf|\.txt</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)FINDSTR\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /e\ |\ /si\ )</field>
    </rule>
    <rule id="901824" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:WerFault\.exe)$</field>
    </rule>
    <rule id="901825" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:rundll32\.exe)$</field>
    </rule>
    <rule id="901826" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvcs\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regsvcs\.exe)$</field>
    </rule>
    <rule id="901827" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regasm\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regasm\.exe)$</field>
    </rule>
    <rule id="901828" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regsvr32\.exe)$</field>
    </rule>
    <rule id="901829" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+EdgeUpdate\\+Install\\+\{</field>
    </rule>
    <rule id="901830" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Google\\+Chrome\\+Application\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Installer\\+setup\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-\-uninstall\ \-\-channel=stable</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:rundll32\.exe)$</field>
    </rule>
    <rule id="901831" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Escape Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)h\^t\^t\^p|h"t"t"p</field>
    </rule>
    <rule id="901832" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ЛЈ|ЛЄ|Лў</field>
    </rule>
    <rule id="901833" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)в€•|вЃ„</field>
    </rule>
    <rule id="901834" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)вЂ•|вЂ”</field>
    </rule>
    <rule id="901835" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Гў|в‚¬|ВЈ|ВЇ|В®|Вµ|В¶</field>
    </rule>
    <rule id="901836" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Command Line Path Traversal Evasion Attempt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+\.\.\\+Windows\\+|\\+\.\.\\+System32\\+|\\+\.\.\\+\.\.\\+</field>
    </rule>
    <rule id="901837" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Command Line Path Traversal Evasion Attempt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\\+\.\.\\+</field>
    </rule>
    <rule id="901838" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Command Line Path Traversal Evasion Attempt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Google\\+Drive\\+googledrivesync\.exe\\+\.\.\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Citrix\\+Virtual\ Smart\ Card\\+Citrix\.Authentication\.VirtualSmartcard\.Launcher\.exe\\+\.\.\\+</field>
    </rule>
    <rule id="901839" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.collection</id>
            <id>attack.exfiltration</id>
            <id>attack.t1039</id>
            <id>attack.t1048</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Copy From Or To Admin Share Or Sysvol Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+.+\$|\\+Sysvol\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+robocopy\.exe|\\+xcopy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)robocopy\.exe|XCOPY\.EXE</field>
    </rule>
    <rule id="901840" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.collection</id>
            <id>attack.exfiltration</id>
            <id>attack.t1039</id>
            <id>attack.t1048</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Copy From Or To Admin Share Or Sysvol Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+.+\$|\\+Sysvol\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)copy</field>
    </rule>
    <rule id="901841" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
    </rule>
    <rule id="901842" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\-item|\ copy\ |cpi\ |\ cp\ )</field>
    </rule>
    <rule id="901843" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+robocopy\.exe|\\+xcopy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)robocopy\.exe|XCOPY\.EXE</field>
    </rule>
    <rule id="901844" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System32|\\+SysWOW64|\\+WinSxS</field>
    </rule>
    <rule id="901845" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>LOL-Binary Copied From System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
    </rule>
    <rule id="901846" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>LOL-Binary Copied From System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\-item|\ copy\ |cpi\ |\ cp\ )</field>
    </rule>
    <rule id="901847" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>LOL-Binary Copied From System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+robocopy\.exe|\\+xcopy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)robocopy\.exe|XCOPY\.EXE</field>
    </rule>
    <rule id="901848" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1496</id>
        </mitre>
        <description>Potential Crypto Mining Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-cpu\-priority=|\-\-donate\-level=0|\ \-o\ pool\.|\ \-\-nicehash|\ \-\-algo=rx/0\ |stratum\+tcp://|stratum\+udp://|LS1kb25hdGUtbGV2ZWw9|0tZG9uYXRlLWxldmVsP|tLWRvbmF0ZS1sZXZlbD|c3RyYXR1bSt0Y3A6Ly|N0cmF0dW0rdGNwOi8v|zdHJhdHVtK3RjcDovL|c3RyYXR1bSt1ZHA6Ly|N0cmF0dW0rdWRwOi8v|zdHJhdHVtK3VkcDovL</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ pool\.c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ pool\.o\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)gcc\ \-</field>
    </rule>
    <rule id="901849" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Data Exfiltration Activity Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Invoke\-WebRequest|iwr\ |wget\ |curl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-ur</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-me</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-b</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ POST\ )</field>
    </rule>
    <rule id="901850" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Data Exfiltration Activity Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-ur</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-d\ |\ \-\-data\ )</field>
    </rule>
    <rule id="901851" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Data Exfiltration Activity Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wget\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-post\-data|\-\-post\-file</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Content|GetBytes|hostname|ifconfig|ipconfig|net\ view|netstat|nltest|qprocess|sc\ query|systeminfo|tasklist|ToBase64String|whoami</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:type\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ &gt;\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ C:\\+</field>
    </rule>
    <rule id="901852" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Raccine Uninstall</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:taskkill\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RaccineSettings\.exe</field>
    </rule>
    <rule id="901853" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Raccine Uninstall</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Raccine\ Tray</field>
    </rule>
    <rule id="901854" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Raccine Uninstall</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)schtasks</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/DELETE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Raccine\ Rules\ Updater</field>
    </rule>
    <rule id="901855" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Suspicious Double Extension File Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\.doc\.exe|\.docx\.exe|\.xls\.exe|\.xlsx\.exe|\.ppt\.exe|\.pptx\.exe|\.rtf\.exe|\.pdf\.exe|\.txt\.exe|\ \ \ \ \ \ \.exe|______\.exe|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.doc\.exe|\.docx\.exe|\.xls\.exe|\.xlsx\.exe|\.ppt\.exe|\.pptx\.exe|\.rtf\.exe|\.pdf\.exe|\.txt\.exe|\ \ \ \ \ \ \.exe|______\.exe|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js</field>
    </rule>
    <rule id="901856" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious Parent Double Extension File Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\.doc\.lnk|\.docx\.lnk|\.xls\.lnk|\.xlsx\.lnk|\.ppt\.lnk|\.pptx\.lnk|\.rtf\.lnk|\.pdf\.lnk|\.txt\.lnk|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.doc\.lnk|\.docx\.lnk|\.xls\.lnk|\.xlsx\.lnk|\.ppt\.lnk|\.pptx\.lnk|\.rtf\.lnk|\.pdf\.lnk|\.txt\.lnk|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js</field>
    </rule>
    <rule id="901857" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>DumpStack.log Defender Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpStack\.log)$</field>
    </rule>
    <rule id="901858" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>DumpStack.log Defender Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-o\ DumpStack\.log</field>
    </rule>
    <rule id="901859" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901860" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|:\\+Temp\\+</field>
    </rule>
    <rule id="901861" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+chrome\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+discord\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+discord\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+GitHubDesktop\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+GitHubDesktop\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+keybase\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+keybase\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msteams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msteams\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+slack\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+slack\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+WerFault\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+WerFault\.exe</field>
    </rule>
    <rule id="901862" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Discord\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+NVSMI\\+nvidia\-smi\.exe</field>
    </rule>
    <rule id="901863" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Elevated System Shell Spawned From Uncommon Parent Location</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll|Cmd\.Exe</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.logonId" negate="no" type="pcre2">(?i)0x3e7</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="901864" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Elevated System Shell Spawned From Uncommon Parent Location</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll|Cmd\.Exe</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.logonId" negate="no" type="pcre2">(?i)0x3e7</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+ManageEngine\\+ADManager\ Plus\\+pgsql\\+bin\\+postgres\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+system32\\+cmd\.exe\ /c\ "</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+IBM\\+SpectrumProtect\\+webserver\\+scripts\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+IBM\\+SpectrumProtect\\+webserver\\+scripts\\+</field>
    </rule>
    <rule id="901865" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Hidden Powershell in Link File Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+cmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.lnk</field>
    </rule>
    <rule id="901866" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Tamper In .NET Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)COMPlus_ETWEnabled|COMPlus_ETWFlags</field>
    </rule>
    <rule id="901867" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cl</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Trace</field>
    </rule>
    <rule id="901868" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clear\-log</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Trace</field>
    </rule>
    <rule id="901869" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)sl</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/e:false</field>
    </rule>
    <rule id="901870" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set\-log</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/e:false</field>
    </rule>
    <rule id="901871" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)logman</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)update</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)trace</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-p</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ets</field>
    </rule>
    <rule id="901872" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Remove\-EtwTraceProvider</field>
    </rule>
    <rule id="901873" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Set\-EtwTraceProvider</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0x11</field>
    </rule>
    <rule id="901874" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clear\-log\ |\ cl\ |set\-log\ |\ sl\ |lfn:</field>
    </rule>
    <rule id="901875" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Clear\-EventLog\ |Remove\-EventLog\ |Limit\-EventLog\ |Clear\-WinEvent\ )</field>
    </rule>
    <rule id="901876" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ClearEventLog</field>
    </rule>
    <rule id="901877" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+msiexec\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+msiexec\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ sl\ )</field>
    </rule>
    <rule id="901878" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Microsoft\-Windows\-TerminalServices\-LocalSessionManager/Operational|Microsoft\-Windows\-Terminal\-Services\-RemoteConnectionManager/Operational|Security</field>
    </rule>
    <rule id="901879" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-InstanceId\ 4624|System\[EventID=4624\]|EventCode=.4624.|EventIdentifier=.4624.|\-InstanceId\ 4778|System\[EventID=4778\]|EventCode=.4778.|EventIdentifier=.4778.|\-InstanceId\ 25|System\[EventID=25\]|EventCode=.25.|EventIdentifier=.25.</field>
    </rule>
    <rule id="901880" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wevtutil\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ qe\ |\ query\-events\ )</field>
    </rule>
    <rule id="901881" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wevtutil\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ qe\ |\ query\-events\ )</field>
    </rule>
    <rule id="901882" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wevtutil\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wmic\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ ntevent</field>
    </rule>
    <rule id="901883" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wevtutil\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wmic\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Get\-WinEvent\ |get\-eventlog\ )</field>
    </rule>
    <rule id="901884" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious Execution From GUID Like Folder Names</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+|\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+\{</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+\{</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+drvinst\.exe</field>
    </rule>
    <rule id="901885" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1564</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Parent in Public Folder Suspicious Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+Public\\+)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|cmd\.exe\ /c\ |cmd\.exe\ /r\ |cmd\.exe\ /k\ |cmd\ /c\ |cmd\ /r\ |cmd\ /k\ |wscript\.exe|cscript\.exe|bitsadmin|certutil|mshta\.exe</field>
    </rule>
    <rule id="901886" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Execution from Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+\$Recycle\.bin\\+|\\+config\\+systemprofile\\+|\\+Intel\\+Logs\\+|\\+RSA\\+MachineKeys\\+|\\+Users\\+All\ Users\\+|\\+Users\\+Default\\+|\\+Users\\+NetworkService\\+|\\+Users\\+Public\\+|\\+Windows\\+addins\\+|\\+Windows\\+debug\\+|\\+Windows\\+Fonts\\+|\\+Windows\\+Help\\+|\\+Windows\\+IME\\+|\\+Windows\\+Media\\+|\\+Windows\\+repair\\+|\\+Windows\\+security\\+|\\+Windows\\+System32\\+Tasks\\+|\\+Windows\\+Tasks\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Perflogs\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+Public\\+IBM\\+ClientSolutions\\+Start_Programs\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+config\\+systemprofile\\+Citrix\\+UpdaterBinaries\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CitrixReceiverUpdater\.exe)$</field>
    </rule>
    <rule id="901887" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.006</id>
        </mitre>
        <description>Suspicious File Characteristics Due to Missing Fields</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)\\+.</field>
        <field name="win.eventdata.fileVersion" negate="no" type="pcre2">(?i)\\+.</field>
    </rule>
    <rule id="901888" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.006</id>
        </mitre>
        <description>Suspicious File Characteristics Due to Missing Fields</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)\\+.</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)\\+.</field>
    </rule>
    <rule id="901889" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.006</id>
        </mitre>
        <description>Suspicious File Characteristics Due to Missing Fields</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)\\+.</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)\\+.</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Downloads\\+</field>
    </rule>
    <rule id="901890" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1615</id>
            <id>attack.t1059.005</id>
        </mitre>
        <description>Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)gatherNetworkInfo\.vbs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
    </rule>
    <rule id="901891" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::\$index_allocation</field>
    </rule>
    <rule id="901892" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Execution Of Non-Existing File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Registry</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)MemCompression</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)vmmem</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Registry</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)MemCompression</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)vmmem</field>
    </rule>
    <rule id="901893" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Base64 MZ Header In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)TVqQAAMAAAAEAAAA|TVpQAAIAAAAEAA8A|TVqAAAEAAAAEABAA|TVoAAAAAAAAAAAAA|TVpTAQEAAAAEAAAA</field>
    </rule>
    <rule id="901894" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)AddSecurityPackage|AdjustTokenPrivileges|Advapi32|CloseHandle|CreateProcessWithToken|CreatePseudoConsole|CreateRemoteThread|CreateThread|CreateUserThread|DangerousGetHandle|DuplicateTokenEx|EnumerateSecurityPackages|FreeHGlobal|FreeLibrary|GetDelegateForFunctionPointer|GetLogonSessionData|GetModuleHandle|GetProcAddress|GetProcessHandle|GetTokenInformation|ImpersonateLoggedOnUser|kernel32|LoadLibrary|memcpy|MiniDumpWriteDump|ntdll|OpenDesktop|OpenProcess|OpenProcessToken|OpenThreadToken|OpenWindowStation|PtrToString|QueueUserApc|ReadProcessMemory|RevertToSelf|RtlCreateUserThread|secur32|SetThreadToken|VirtualAlloc|VirtualFree|VirtualProtect|WaitForSingleObject|WriteInt32|WriteProcessMemory|ZeroFreeGlobalAllocUnicode</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MpCmdRun\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)GetLoadLibraryWAddress32</field>
    </rule>
    <rule id="901895" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ rmdir\ )</field>
    </rule>
    <rule id="901896" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)user</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/domain</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/add</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/delete</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/active</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/expires</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/passwordreq</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/scriptpath</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/times</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/workstations</field>
    </rule>
    <rule id="901897" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe|\\+quser\.exe|\\+qwinsta\.exe)$</field>
    </rule>
    <rule id="901898" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)useraccount</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)get</field>
    </rule>
    <rule id="901899" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmdkey\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /l</field>
    </rule>
    <rule id="901900" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>LOLBIN Execution From Abnormal Drive</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+certutil\.exe|\\+cmstp\.exe|\\+cscript\.exe|\\+installutil\.exe|\\+mshta\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)CALC\.EXE|CertUtil\.exe|CMSTP\.EXE|cscript\.exe|installutil\.exe|MSHTA\.EXE|REGSVR32\.EXE|RUNDLL32\.EXE|wscript\.exe</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)C:\\+</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901901" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Dump Keyword In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lsass\.dmp|lsass\.zip|lsass\.rar|Andrew\.dmp|Coredump\.dmp|NotLSASS\.zip|lsass_2|lsassdump|lsassdmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lsass</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SQLDmpr</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.mdmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)nanodump</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="901902" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential File Download Via MS-AppInstaller Protocol Handler</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ms\-appinstaller://.source=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="901903" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1016</id>
        </mitre>
        <description>Suspicious Network Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ipconfig\ /all|netsh\ interface\ show\ interface|arp\ \-a|nbtstat\ \-n|net\ config|route\ print</field>
    </rule>
    <rule id="901904" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1040</id>
        </mitre>
        <description>Potential Network Sniffing Activity Using Network Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tshark\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-i</field>
    </rule>
    <rule id="901905" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1040</id>
        </mitre>
        <description>Potential Network Sniffing Activity Using Network Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+windump\.exe)$</field>
    </rule>
    <rule id="901906" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Execution of Suspicious File Type Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.bin)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.cgi)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Registry</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)MemCompression</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)vmmem</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Installer\\+MSI</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+DriverStore\\+FileRepository\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Config\.Msi\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.rbf)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.rbs)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$Extend\\+\$Deleted\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901907" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Execution of Suspicious File Type Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.bin)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.cgi)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Avira\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)NVIDIA\\+NvBackend\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.dat)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+WINPAKPRO\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WINPAKPRO\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.ngn)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+MyQ\\+Server\\+pcltool\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+MyQ\\+Server\\+pcltool\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Packages\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+LocalState\\+rootfs\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+LZMA_EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Mozilla\ Firefox\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+services\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:com\.docker\.service)$</field>
    </rule>
    <rule id="901908" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Non-privileged Usage of Reg or Powershell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:reg\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
    </rule>
    <rule id="901909" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Non-privileged Usage of Reg or Powershell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|set\-itemproperty|\ sp\ |new\-itemproperty</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)Medium</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Services</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ImagePath|FailureCommand|ServiceDLL</field>
    </rule>
    <rule id="901910" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+NTDSDump\.exe|\\+NTDSDumpEx\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ntds\.dit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)system\.hiv</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)NTDSgrab\.ps1</field>
    </rule>
    <rule id="901911" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ac\ i\ ntds</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create\ full</field>
    </rule>
    <rule id="901912" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/c\ copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+windows\\+ntds\\+ntds\.dit</field>
    </rule>
    <rule id="901913" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)activate\ instance\ ntds</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create\ full</field>
    </rule>
    <rule id="901914" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ntds\.dit</field>
    </rule>
    <rule id="901915" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use Short Name Path in Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\~1\\+|\~2\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+Dism\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+cleanmgr\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+GPSoftware\\+Directory\ Opus\\+dopus\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+veam\.backup\.shell\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+winget\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Everything\\+Everything\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+WinGet\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+appdata\\+local\\+webex\\+webex64\\+meetings\\+wbxreport\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Git\\+post\-install\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Git\\+cmd\\+scalar\.exe</field>
    </rule>
    <rule id="901916" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use Short Name Path in Image</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\~1\\+|\~2\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+Dism\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+cleanmgr\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.product" negate="yes" type="pcre2">(?i)InstallShield\ $R$</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)InstallShield\ $R$\ Setup\ Engine</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)InstallShield\ Software\ Corporation</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\~1\\+unzip\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\~1\\+7zG\.exe)$</field>
    </rule>
    <rule id="901917" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use NTFS Short Name in Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\~1\.exe|\~1\.bat|\~1\.msi|\~1\.vbe|\~1\.vbs|\~1\.dll|\~1\.ps1|\~1\.js|\~1\.hta|\~2\.exe|\~2\.bat|\~2\.msi|\~2\.vbe|\~2\.vbs|\~2\.dll|\~2\.ps1|\~2\.js|\~2\.hta</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+xampp\\+vcredist\\+VCREDI\~1\.EXE</field>
    </rule>
    <rule id="901918" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use NTFS Short Name in Image</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\~1\.bat|\~1\.dll|\~1\.exe|\~1\.hta|\~1\.js|\~1\.msi|\~1\.ps1|\~1\.tmp|\~1\.vbe|\~1\.vbs|\~2\.bat|\~2\.dll|\~2\.exe|\~2\.hta|\~2\.js|\~2\.msi|\~2\.ps1|\~2\.tmp|\~2\.vbe|\~2\.vbs</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
    </rule>
    <rule id="901919" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use NTFS Short Name in Image</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\~1\.bat|\~1\.dll|\~1\.exe|\~1\.hta|\~1\.js|\~1\.msi|\~1\.ps1|\~1\.tmp|\~1\.vbe|\~1\.vbs|\~2\.bat|\~2\.dll|\~2\.exe|\~2\.hta|\~2\.js|\~2\.msi|\~2\.ps1|\~2\.tmp|\~2\.vbe|\~2\.vbs</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+PROGRA\~1\\+WinZip\\+WZPREL\~1\.EXE</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+VCREDI\~1\.EXE)$</field>
    </rule>
    <rule id="901920" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0x|//0x|\.0x|\.00x</field>
    </rule>
    <rule id="901921" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http://%</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%2e</field>
    </rule>
    <rule id="901922" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.0[0-9]{3,7}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{3,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i) [0-7]{7,13}</field>
    </rule>
    <rule id="901923" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}</field>
    </rule>
    <rule id="901924" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0x|//0x|\.0x|\.00x</field>
    </rule>
    <rule id="901925" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http://%</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%2e</field>
    </rule>
    <rule id="901926" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.0[0-9]{3,7}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{3,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i) [0-7]{7,13}</field>
    </rule>
    <rule id="901927" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}</field>
    </rule>
    <rule id="901928" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Suspicious Office Token Search Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)eyJ0eXAiOi|\ eyJ0eX|\ "eyJ0eX"|\ 'eyJ0eX'</field>
    </rule>
    <rule id="901929" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Process Parents</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+minesweeper\.exe|\\+winver\.exe|\\+bitsadmin\.exe)$</field>
    </rule>
    <rule id="901930" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Process Parents</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+csrss\.exe|\\+certutil\.exe|\\+eventvwr\.exe|\\+calc\.exe|\\+notepad\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+win32calc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+notepad\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901931" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Private Keys Reconnaissance Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.key|\.pgp|\.gpg|\.ppk|\.p12|\.pem|\.pfx|\.cer|\.p7b|\.asc</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
    </rule>
    <rule id="901932" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Private Keys Reconnaissance Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.key|\.pgp|\.gpg|\.ppk|\.p12|\.pem|\.pfx|\.cer|\.p7b|\.asc</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Get\-ChildItem\ )</field>
    </rule>
    <rule id="901933" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Private Keys Reconnaissance Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.key|\.pgp|\.gpg|\.ppk|\.p12|\.pem|\.pfx|\.cer|\.p7b|\.asc</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+findstr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)FINDSTR\.EXE</field>
    </rule>
    <rule id="901934" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Windows Processes Suspicious Parent Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe|\\+taskhost\.exe|\\+lsm\.exe|\\+lsass\.exe|\\+services\.exe|\\+lsaiso\.exe|\\+csrss\.exe|\\+wininit\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+SavService\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+System32\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+SysWOW64\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Microsoft\ Security\ Client\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\-</field>
    </rule>
    <rule id="901935" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Program Names</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+CVE\-202|\\+CVE202</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+poc\.exe|\\+artifact\.exe|\\+artifact64\.exe|\\+artifact_protected\.exe|\\+artifact32\.exe|\\+artifact32big\.exe|obfuscated\.exe|obfusc\.exe|\\+meterpreter)$</field>
    </rule>
    <rule id="901936" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Program Names</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)inject\.ps1|Invoke\-CVE|pupy\.ps1|payload\.ps1|beacon\.ps1|PowerView\.ps1|bypass\.ps1|obfuscated\.ps1|obfusc\.ps1|obfus\.ps1|obfs\.ps1|evil\.ps1|MiniDogz\.ps1|_enc\.ps1|\\+shell\.ps1|\\+rshell\.ps1|revshell\.ps1|\\+av\.ps1|\\+av_test\.ps1|adrecon\.ps1|mimikatz\.ps1|\\+PowerUp_|powerup\.ps1|\\+Temp\\+a\.ps1|\\+Temp\\+p\.ps1|\\+Temp\\+1\.ps1|Hound\.ps1|encode\.ps1|powercat\.ps1</field>
    </rule>
    <rule id="901937" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Process Execution From Fake Recycle.Bin Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)RECYCLERS\.BIN\\+|RECYCLER\.BIN\\+</field>
    </rule>
    <rule id="901938" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.002</id>
        </mitre>
        <description>Potential Defense Evasion Via Right-to-Left Override</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)‮</field>
    </rule>
    <rule id="901939" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+mshta\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901940" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ep\ bypass\ |\ \-ExecutionPolicy\ bypass\ |\ \-w\ hidden\ |/e:javascript\ |/e:Jscript\ |/e:vbscript\ )</field>
    </rule>
    <rule id="901941" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)cscript\.exe|mshta\.exe|wscript\.exe</field>
    </rule>
    <rule id="901942" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+Temp|\\+Temporary\ Internet|\\+Windows\\+Temp</field>
    </rule>
    <rule id="901943" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="901944" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Script Execution From Temp Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+mshta\.exe|\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Windows\\+Temp|\\+Temporary\ Internet|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+Temp|%TEMP%|%TMP%|%LocalAppData%\\+Temp</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ &gt;</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Out\-File</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)ConvertTo\-Json</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-WindowStyle\ hidden\ \-Verb\ runAs</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Windows\\+system32\\+config\\+systemprofile\\+AppData\\+Local\\+Temp\\+Amazon\\+EC2\-Windows\\+</field>
    </rule>
    <rule id="901945" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious New Service Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath=</field>
    </rule>
    <rule id="901946" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious New Service Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-BinaryPathName</field>
    </rule>
    <rule id="901947" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious New Service Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|mshta|wscript|cscript|svchost|dllhost|cmd\ |cmd\.exe\ /c|cmd\.exe\ /k|cmd\.exe\ /r|rundll32|C:\\+Users\\+Public|\\+Downloads\\+|\\+Desktop\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+|C:\\+Windows\\+TEMP\\+|\\+AppData\\+Local\\+Temp</field>
    </rule>
    <rule id="901948" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Service Binary Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+\$Recycle\.bin|\\+Users\\+All\ Users\\+|\\+Users\\+Default\\+|\\+Users\\+Contacts\\+|\\+Users\\+Searches\\+|C:\\+Perflogs\\+|\\+config\\+systemprofile\\+|\\+Windows\\+Fonts\\+|\\+Windows\\+IME\\+|\\+Windows\\+addins\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe|\\+svchost\.exe)$</field>
    </rule>
    <rule id="901949" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Suspicious Windows Service Tampering</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)143Svc|Acronis\ VSS\ Provider|AcronisAgent|AcrSch2Svc|Antivirus|ARSM|aswBcc|Avast\ Business\ Console\ Client\ Antivirus\ Service|avast!\ Antivirus|AVG\ Antivirus|avgAdminClient|AvgAdminServer|AVP1|BackupExec|bedbg|BITS|BrokerInfrastructure|Client\ Agent\ 7\.60|Core\ Browsing\ Protection|Core\ Mail\ Protection|Core\ Scanning\ Server|DCAgent|EhttpSr|ekrn|Enterprise\ Client\ Service|epag|EPIntegrationService|EPProtectedService|EPRedline|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|FirebirdGuardianDefaultInstance|FirebirdServerDefaultInstance|HealthTLService|MSSQLFDLauncher\$|hmpalertsvc|HMS|IISAdmin|IMANSVC|IMAP4Svc|KAVFS|KAVFSGT|kavfsslp|klbackupdisk|klbackupflt|klflt|klhk|KLIF|klim6|klkbdflt|klmouflt|klnagent|klpd|kltap|KSDE1\.0\.0|LogProcessorService|M8EndpointAgent|macmnsvc|masvc|MBAMService|MBCloudEA|MBEndpointAgent|McAfeeDLPAgentService|McAfeeEngineService|MCAFEEEVENTPARSERSRV|McAfeeFramework|MCAFEETOMCATSRV530|McShield|McTaskManager|mfefire|mfemms|mfevto|mfevtp|mfewc|MMS|mozyprobackup|MsDtsServer|MSExchange|msftesq1SPROO|msftesql\$PROD|MSOLAP\$SQL_2008|MSOLAP\$SYSTEM_BGC|MSOLAP\$TPS|MSOLAP\$TPSAMA|MSOLAPSTPS|MSOLAPSTPSAMA|mssecflt|MSSQ!I\.SPROFXENGAGEMEHT|MSSQ0SHAREPOINT|MSSQ0SOPHOS|MSSQL|MySQL|NanoServiceMain|NetMsmqActivator|ntrtscan|ofcservice|Online\ Protection\ System|OracleClientCache80|PandaAetherAgent|PccNTUpd|PDVFSService|POP3Svc|POVFSService|PSUAService|Quick\ Update\ Service|RepairService|ReportServer|ReportServer\$|RESvc|RpcEptMapper|sacsvr|SamSs|SAVAdminService|SAVService|ScSecSvc|SDRSVC|sense|SentinelAgent|SentinelHelperService|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|SntpService|Sophos|SQ1SafeOLRService|SQL\ Backups|SQL\ Server|SQLAgent|SQLBrowser|SQLsafe|SQLSERVERAGENT|SQLTELEMETRY|SQLWriter|SSISTELEMETRY130|SstpSvc|svcGenericHost|swc_service|swi_filter|swi_service|swi_update|Symantec|Telemetryserver|ThreatLockerService|TMBMServer|TmCCSF|TmFilter|TMiCRCScanService|tmlisten|TMLWCSService|TmPfw|TmPreFilter|TmProxy|TMSmartRelayService|tmusa|Trend\ Micro\ Deep\ Security\ Manager|TrueKey|UI0Detect|UTODetect|Veeam|VeeamDeploySvc|Veritas\ System\ Recovery|VSApiNt|VSS|W3Svc|wbengine|WdNisSvc|WeanClOudSve|Weems\ JY|WinDefend|wozyprobackup|WRSVC|Zoolz\ 2\ Service</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)net\.exe|net1\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ stop\ )</field>
    </rule>
    <rule id="901950" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Suspicious Windows Service Tampering</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)143Svc|Acronis\ VSS\ Provider|AcronisAgent|AcrSch2Svc|Antivirus|ARSM|aswBcc|Avast\ Business\ Console\ Client\ Antivirus\ Service|avast!\ Antivirus|AVG\ Antivirus|avgAdminClient|AvgAdminServer|AVP1|BackupExec|bedbg|BITS|BrokerInfrastructure|Client\ Agent\ 7\.60|Core\ Browsing\ Protection|Core\ Mail\ Protection|Core\ Scanning\ Server|DCAgent|EhttpSr|ekrn|Enterprise\ Client\ Service|epag|EPIntegrationService|EPProtectedService|EPRedline|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|FirebirdGuardianDefaultInstance|FirebirdServerDefaultInstance|HealthTLService|MSSQLFDLauncher\$|hmpalertsvc|HMS|IISAdmin|IMANSVC|IMAP4Svc|KAVFS|KAVFSGT|kavfsslp|klbackupdisk|klbackupflt|klflt|klhk|KLIF|klim6|klkbdflt|klmouflt|klnagent|klpd|kltap|KSDE1\.0\.0|LogProcessorService|M8EndpointAgent|macmnsvc|masvc|MBAMService|MBCloudEA|MBEndpointAgent|McAfeeDLPAgentService|McAfeeEngineService|MCAFEEEVENTPARSERSRV|McAfeeFramework|MCAFEETOMCATSRV530|McShield|McTaskManager|mfefire|mfemms|mfevto|mfevtp|mfewc|MMS|mozyprobackup|MsDtsServer|MSExchange|msftesq1SPROO|msftesql\$PROD|MSOLAP\$SQL_2008|MSOLAP\$SYSTEM_BGC|MSOLAP\$TPS|MSOLAP\$TPSAMA|MSOLAPSTPS|MSOLAPSTPSAMA|mssecflt|MSSQ!I\.SPROFXENGAGEMEHT|MSSQ0SHAREPOINT|MSSQ0SOPHOS|MSSQL|MySQL|NanoServiceMain|NetMsmqActivator|ntrtscan|ofcservice|Online\ Protection\ System|OracleClientCache80|PandaAetherAgent|PccNTUpd|PDVFSService|POP3Svc|POVFSService|PSUAService|Quick\ Update\ Service|RepairService|ReportServer|ReportServer\$|RESvc|RpcEptMapper|sacsvr|SamSs|SAVAdminService|SAVService|ScSecSvc|SDRSVC|sense|SentinelAgent|SentinelHelperService|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|SntpService|Sophos|SQ1SafeOLRService|SQL\ Backups|SQL\ Server|SQLAgent|SQLBrowser|SQLsafe|SQLSERVERAGENT|SQLTELEMETRY|SQLWriter|SSISTELEMETRY130|SstpSvc|svcGenericHost|swc_service|swi_filter|swi_service|swi_update|Symantec|Telemetryserver|ThreatLockerService|TMBMServer|TmCCSF|TmFilter|TMiCRCScanService|tmlisten|TMLWCSService|TmPfw|TmPreFilter|TmProxy|TMSmartRelayService|tmusa|Trend\ Micro\ Deep\ Security\ Manager|TrueKey|UI0Detect|UTODetect|Veeam|VeeamDeploySvc|Veritas\ System\ Recovery|VSApiNt|VSS|W3Svc|wbengine|WdNisSvc|WeanClOudSve|Weems\ JY|WinDefend|wozyprobackup|WRSVC|Zoolz\ 2\ Service</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)net\.exe|net1\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Stop\-Service\ |Remove\-Service\ )</field>
    </rule>
    <rule id="901951" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1070</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Shadow Copies Deletion Using Operating Systems Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+wmic\.exe|\\+vssadmin\.exe|\\+diskshadow\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PowerShell\.EXE|pwsh\.dll|wmic\.exe|VSSADMIN\.EXE|diskshadow\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shadow</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
    </rule>
    <rule id="901952" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1070</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Shadow Copies Deletion Using Operating Systems Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wbadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)WBADMIN\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)catalog</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)quiet</field>
    </rule>
    <rule id="901953" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.001</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Windows Shell/Scripting Processes Spawning Suspicious Programs</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+rundll32\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+wmiprvse\.exe|\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe|\\+nslookup\.exe|\\+certutil\.exe|\\+bitsadmin\.exe|\\+mshta\.exe)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)\\+ccmcache\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+setup\-scheduledtask\.ps1</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+set\-selfhealing\.ps1</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+check\-workspacehealth\.ps1</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+nessus_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+nessus_</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+MEM_Configmgr_</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+splash\.hta</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+MEM_Configmgr_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+SMSSETUP\\+BIN\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+autorun\.hta</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}</field>
    </rule>
    <rule id="901954" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Process Creation Using Sysnative Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Windows\\+Sysnative\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Windows\\+Sysnative\\+</field>
    </rule>
    <rule id="901955" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>System File Execution Location Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe|\\+rundll32\.exe|\\+services\.exe|\\+powershell\.exe|\\+powershell_ise\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+spoolsv\.exe|\\+lsass\.exe|\\+smss\.exe|\\+csrss\.exe|\\+conhost\.exe|\\+wininit\.exe|\\+lsm\.exe|\\+winlogon\.exe|\\+explorer\.exe|\\+taskhost\.exe|\\+Taskmgr\.exe|\\+sihost\.exe|\\+RuntimeBroker\.exe|\\+smartscreen\.exe|\\+dllhost\.exe|\\+audiodg\.exe|\\+wlanext\.exe|\\+dashost\.exe|\\+schtasks\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+wsl\.exe|\\+bitsadmin\.exe|\\+atbroker\.exe|\\+bcdedit\.exe|\\+certutil\.exe|\\+certreq\.exe|\\+cmstp\.exe|\\+consent\.exe|\\+defrag\.exe|\\+dism\.exe|\\+dllhst3g\.exe|\\+eventvwr\.exe|\\+msiexec\.exe|\\+runonce\.exe|\\+winver\.exe|\\+logonui\.exe|\\+userinit\.exe|\\+dwm\.exe|\\+LsaIso\.exe|\\+ntoskrnl\.exe|\\+wsmprovhost\.exe|\\+dfrgui\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+SystemRoot\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+MicrosoftCorporationII\.WindowsSubsystemForLinux)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wsl\.exe)$</field>
    </rule>
    <rule id="901956" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134</id>
            <id>attack.t1003</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious SYSTEM User Process Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)System</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+hh\.exe|\\+mshta\.exe|\\+forfiles\.exe|\\+ping\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-NoP\ |\ \-W\ Hidden\ |\ \-decode\ |\ /decode\ |\ /urlcache\ |\ \-urlcache\ |\ \-e.+\ JAB|\ \-e.+\ SUVYI|\ \-e.+\ SQBFAFgA|\ \-e.+\ aWV4I|\ \-e.+\ IAB|\ \-e.+\ PAA|\ \-e.+\ aQBlAHgA|vssadmin\ delete\ shadows|reg\ SAVE\ HKLM|\ \-ma\ |Microsoft\\+Windows\\+CurrentVersion\\+Run|\.downloadstring$|\.downloadfile\(|\ /ticket:|dpapi::|event::clear|event::drop|id::modify|kerberos::|lsadump::|misc::|privilege::|rpc::|sekurlsa::|sid::|token::|vault::cred|vault::list|\ p::d\ |;iex\(|MiniDump|net\ user\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)ping\ 127\.0\.0\.1\ \-n\ 5</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PING\.EXE)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+DismFoDInstall\.cmd</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ \(x86$\\+Java\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Java\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+bin\\+javaws\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Java\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Java\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+bin\\+jp2launcher\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-ma\ )</field>
    </rule>
    <rule id="901957" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Suspicious SYSVOL Domain Group Policy Access</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+SYSVOL\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+policies\\+</field>
    </rule>
    <rule id="901958" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Suspicious Userinit Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+userinit\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+netlogon\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)explorer\.exe</field>
    </rule>
    <rule id="901959" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Malicious Windows Script Components File Execution by TAEF Detection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+te\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+te\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)\\+te\.exe</field>
    </rule>
    <rule id="901960" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Malicious PE Execution by Microsoft Visual Studio Debugger</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+vsjitdebugger\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vsimmersiveactivatehelper.+\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+devenv\.exe)$</field>
    </rule>
    <rule id="901961" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Weak or Abused Passwords In CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)123456789|123123qwE|Asd123\.aaaa|Decryptme|P@ssw0rd!|Pass8080|password123|test@202</field>
    </rule>
    <rule id="901962" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Usage Of Web Request Commands And Cmdlets</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[System\.Net\.WebRequest\]::create|curl\ |Invoke\-RestMethod|Invoke\-WebRequest|iwr\ |Net\.WebClient|Resume\-BitsTransfer|Start\-BitsTransfer|wget\ |WinHttp\.WinHttpRequest</field>
    </rule>
    <rule id="901963" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>WhoAmI as Parameter</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ whoami</field>
    </rule>
    <rule id="901964" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execution via WorkFolders.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+control\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WorkFolders\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+control\.exe</field>
    </rule>
    <rule id="901965" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Suspect Svchost Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rpcnet\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rpcnetp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901966" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1190</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Terminal Service Process Spawn</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+svchost\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)termsvcs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rdpclip\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wininit\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+winlogon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901967" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Uncommon Svchost Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Mrt\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rpcnet\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="901968" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Potential Execution of Sysinternals Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\ \-accepteula</field>
    </rule>
    <rule id="901969" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Memory Dumping Activity Via LiveKD</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+livekd\.exe|\\+livekd64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)livekd\.exe</field>
    </rule>
    <rule id="901970" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Procdump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+procdump\.exe|\\+procdump64\.exe)$</field>
    </rule>
    <rule id="901971" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential SysInternals ProcDump Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)copy\ procdump|move\ procdump</field>
    </rule>
    <rule id="901972" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential SysInternals ProcDump Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.dmp\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)2\.dmp|lsass|out\.dmp</field>
    </rule>
    <rule id="901973" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential SysInternals ProcDump Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)copy\ lsass\.exe_|move\ lsass\.exe_</field>
    </rule>
    <rule id="901974" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569</id>
            <id>attack.t1021</id>
        </mitre>
        <description>Psexec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+psexec\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)psexec\.c</field>
    </rule>
    <rule id="901975" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Potential PsExec Remote Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)accepteula</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \\+</field>
    </rule>
    <rule id="901976" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>PsExec Service Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+PSEXESVC\.exe</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)psexesvc\.exe</field>
    </rule>
    <rule id="901977" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>PsExec Service Child Process Execution as LOCAL SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Windows\\+PSEXESVC\.exe</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
    </rule>
    <rule id="901978" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Sysinternals PsService Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)psservice\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PsService\.exe|\\+PsService64\.exe)$</field>
    </rule>
    <rule id="901979" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Sysinternals PsSuspend Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)pssuspend\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pssuspend\.exe|\\+pssuspend64\.exe)$</field>
    </rule>
    <rule id="901980" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1485</id>
        </mitre>
        <description>Potential File Overwrite Via Sysinternals SDelete</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sdelete\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-h</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-c</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-z</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ /\\+.</field>
    </rule>
    <rule id="901981" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Potential Privilege Escalation To LOCAL SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\ \-s\ cmd|\ \-s\ \-i\ cmd|\ \-i\ \-s\ cmd|\ \-s\ pwsh|\ \-s\ \-i\ pwsh|\ \-i\ \-s\ pwsh|\ \-s\ powershell|\ \-s\ \-i\ powershell|\ \-i\ \-s\ powershell</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)paexec</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)PsExec</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)accepteula</field>
    </rule>
    <rule id="901982" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potential Binary Impersonating Sysinternals Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+accesschk\.exe|\\+accesschk64\.exe|\\+AccessEnum\.exe|\\+ADExplorer\.exe|\\+ADExplorer64\.exe|\\+ADInsight\.exe|\\+ADInsight64\.exe|\\+adrestore\.exe|\\+adrestore64\.exe|\\+Autologon\.exe|\\+Autologon64\.exe|\\+Autoruns\.exe|\\+Autoruns64\.exe|\\+autorunsc\.exe|\\+autorunsc64\.exe|\\+Bginfo\.exe|\\+Bginfo64\.exe|\\+Cacheset\.exe|\\+Cacheset64\.exe|\\+Clockres\.exe|\\+Clockres64\.exe|\\+Contig\.exe|\\+Contig64\.exe|\\+Coreinfo\.exe|\\+Coreinfo64\.exe|\\+CPUSTRES\.EXE|\\+CPUSTRES64\.EXE|\\+ctrl2cap\.exe|\\+Dbgview\.exe|\\+dbgview64\.exe|\\+Desktops\.exe|\\+Desktops64\.exe|\\+disk2vhd\.exe|\\+disk2vhd64\.exe|\\+diskext\.exe|\\+diskext64\.exe|\\+Diskmon\.exe|\\+Diskmon64\.exe|\\+DiskView\.exe|\\+DiskView64\.exe|\\+du\.exe|\\+du64\.exe|\\+efsdump\.exe|\\+FindLinks\.exe|\\+FindLinks64\.exe|\\+handle\.exe|\\+handle64\.exe|\\+hex2dec\.exe|\\+hex2dec64\.exe|\\+junction\.exe|\\+junction64\.exe|\\+ldmdump\.exe|\\+listdlls\.exe|\\+listdlls64\.exe|\\+livekd\.exe|\\+livekd64\.exe|\\+loadOrd\.exe|\\+loadOrd64\.exe|\\+loadOrdC\.exe|\\+loadOrdC64\.exe|\\+logonsessions\.exe|\\+logonsessions64\.exe|\\+movefile\.exe|\\+movefile64\.exe|\\+notmyfault\.exe|\\+notmyfault64\.exe|\\+notmyfaultc\.exe|\\+notmyfaultc64\.exe|\\+ntfsinfo\.exe|\\+ntfsinfo64\.exe|\\+pendmoves\.exe|\\+pendmoves64\.exe|\\+pipelist\.exe|\\+pipelist64\.exe|\\+portmon\.exe|\\+procdump\.exe|\\+procdump64\.exe|\\+procexp\.exe|\\+procexp64\.exe|\\+Procmon\.exe|\\+Procmon64\.exe|\\+psExec\.exe|\\+psExec64\.exe|\\+psfile\.exe|\\+psfile64\.exe|\\+psGetsid\.exe|\\+psGetsid64\.exe|\\+psInfo\.exe|\\+psInfo64\.exe|\\+pskill\.exe|\\+pskill64\.exe|\\+pslist\.exe|\\+pslist64\.exe|\\+psLoggedon\.exe|\\+psLoggedon64\.exe|\\+psloglist\.exe|\\+psloglist64\.exe|\\+pspasswd\.exe|\\+pspasswd64\.exe|\\+psping\.exe|\\+psping64\.exe|\\+psService\.exe|\\+psService64\.exe|\\+psshutdown\.exe|\\+psshutdown64\.exe|\\+pssuspend\.exe|\\+pssuspend64\.exe|\\+RAMMap\.exe|\\+RDCMan\.exe|\\+RegDelNull\.exe|\\+RegDelNull64\.exe|\\+regjump\.exe|\\+ru\.exe|\\+ru64\.exe|\\+sdelete\.exe|\\+sdelete64\.exe|\\+ShareEnum\.exe|\\+ShareEnum64\.exe|\\+shellRunas\.exe|\\+sigcheck\.exe|\\+sigcheck64\.exe|\\+streams\.exe|\\+streams64\.exe|\\+strings\.exe|\\+strings64\.exe|\\+sync\.exe|\\+sync64\.exe|\\+Sysmon\.exe|\\+Sysmon64\.exe|\\+tcpvcon\.exe|\\+tcpvcon64\.exe|\\+tcpview\.exe|\\+tcpview64\.exe|\\+Testlimit\.exe|\\+Testlimit64\.exe|\\+vmmap\.exe|\\+vmmap64\.exe|\\+Volumeid\.exe|\\+Volumeid64\.exe|\\+whois\.exe|\\+whois64\.exe|\\+Winobj\.exe|\\+Winobj64\.exe|\\+ZoomIt\.exe|\\+ZoomIt64\.exe)$</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)Sysinternals\ \-\ www\.sysinternals\.com</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)Sysinternals</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="901983" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Sysprep on AppData Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sysprep\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+</field>
    </rule>
    <rule id="901984" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Execution of Systeminfo</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+systeminfo\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)sysinfo\.exe</field>
    </rule>
    <rule id="901985" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1222.001</id>
        </mitre>
        <description>Suspicious Recursive Takeown</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+takeown\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/r</field>
    </rule>
    <rule id="901986" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Tap Installer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tapinstall\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Avast\ Software\\+SecureLine\ VPN\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Avast\ Software\\+SecureLine\ VPN\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+OpenVPN\ Connect\\+drivers\\+tap\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Proton\ Technologies\\+ProtonVPNTap\\+installer\\+</field>
    </rule>
    <rule id="901987" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Taskkill Symantec Endpoint Protection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)taskkill</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /F\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /IM\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ccSvcHst\.exe</field>
    </rule>
    <rule id="901988" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Taskmgr as LOCAL_SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+taskmgr\.exe)$</field>
    </rule>
    <rule id="901989" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New Process Created Via Taskmgr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+taskmgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+resmon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+Taskmgr\.exe)$</field>
    </rule>
    <rule id="901990" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Potentially Suspicious Command Targeting Teams Sensitive Files</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Microsoft\\+Teams\\+Cookies|\\+Microsoft\\+Teams\\+Local\ Storage\\+leveldb</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
    </rule>
    <rule id="901991" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Suspicious TSCON Start as SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tscon\.exe)$</field>
    </rule>
    <rule id="901992" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1563.002</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Suspicious RDP Redirect Using TSCON</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /dest:rdp\-tcp\#</field>
    </rule>
    <rule id="901993" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using ChangePK and SLUI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+changepk\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+slui\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="901994" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Disk Cleanup</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:"\\+system32\\+cleanmgr\.exe\ /autoclean\ /d\ C:)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)C:\\+Windows\\+system32\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ Schedule</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="901995" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1218.003</id>
            <id>attack.g0069</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP UAC Bypass via COM Object Access</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+DllHost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\ /Processid:\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\}|\ /Processid:\{3E000D72\-A845\-4CD9\-BD83\-80C07C3B881F\}|\ /Processid:\{BD54C901\-076B\-434E\-B6C7\-17C531F4AB41\}|\ /Processid:\{D2E7041B\-2927\-42FB\-8E9F\-7CE93B6DC937\}|\ /Processid:\{E9495B87\-D950\-4AB5\-87A5\-FF6D70BF3E90\}</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="901996" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Tools Using ComputerDefaults</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+ComputerDefaults\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
    </rule>
    <rule id="901997" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Consent and Comctl32 - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+consent\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+werfault\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="901998" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using DismHost</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+DismHost\.exe</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="901999" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC via Fodhelper.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+fodhelper\.exe)$</field>
    </rule>
    <rule id="902000" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>UAC Bypass via Windows Firewall Snap-In Hijack</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+mmc\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)WF\.msc</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
    </rule>
    <rule id="902001" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass via ICMLuaUtil</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/Processid:\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\}|/Processid:\{D2E7041B\-2927\-42FB\-8E9F\-7CE93B6DC937\}</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)WerFault\.exe</field>
    </rule>
    <rule id="902002" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IDiagnostic Profile</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+DllHost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\ /Processid:\{12C21EA7\-2EB8\-4B55\-9249\-AC243DA8C666\}</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="902003" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IEInstal - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ieinstal\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:consent\.exe)$</field>
    </rule>
    <rule id="902004" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using MSConfig Token Modification - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+pkgmgr\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)"C:\\+Windows\\+system32\\+msconfig\.exe"\ \-5</field>
    </rule>
    <rule id="902005" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using NTFS Reparse Point - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+wusa\.exe"\ \ /quiet\ C:\\+Users\\+)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+update\.msu)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="902006" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using NTFS Reparse Point - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)"C:\\+Windows\\+system32\\+dism\.exe"\ /online\ /quiet\ /norestart\ /add\-package\ /packagepath:"C:\\+Windows\\+system32\\+pe386"\ /ignorecheck</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+dismhost\.exe\ \{</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DismHost\.exe)$</field>
    </rule>
    <rule id="902007" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using PkgMgr and DISM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+pkgmgr\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dism\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="902008" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Potential UAC Bypass Via Sdclt.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:sdclt\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High</field>
    </rule>
    <rule id="902009" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>TrustedPath UAC Bypass Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\ \\+System32\\+</field>
    </rule>
    <rule id="902010" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Abusing Winsat Path Parsing - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+system32\\+winsat\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)C:\\+Windows\ \\+system32\\+winsat\.exe</field>
    </rule>
    <rule id="902011" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Media\ Player\\+osk\.exe</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="902012" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+cmd\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)"C:\\+Windows\\+system32\\+mmc\.exe"\ "C:\\+Windows\\+system32\\+eventvwr\.msc"\ /s</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="902013" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC via WSReset.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsreset\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)CONHOST\.EXE</field>
    </rule>
    <rule id="902014" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass WSReset</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsreset\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)High|System</field>
    </rule>
    <rule id="902015" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Use of UltraVNC Remote Access Software</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)VNCViewer</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)UltraVNC\ VNCViewer</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)UltraVNC</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)VNCViewer\.exe</field>
    </rule>
    <rule id="902016" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.g0047</id>
            <id>attack.t1021.005</id>
        </mitre>
        <description>Suspicious UltraVNC Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-autoreconnect\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-connect\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-id:</field>
    </rule>
    <rule id="902017" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Uninstall Crowdstrike Falcon Sensor</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+WindowsSensor\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /uninstall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /quiet</field>
    </rule>
    <rule id="902018" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1037.001</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Uncommon Userinit Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+userinit\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+explorer\.exe)$</field>
    </rule>
    <rule id="902019" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1037.001</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Uncommon Userinit Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+userinit\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)netlogon\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)UsrLogon\.cmd</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)PowerShell\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+proquota\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+proquota\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Citrix\\+HDX\\+bin\\+cmstart\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Citrix\\+HDX\\+bin\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Citrix\\+System32\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+HDX\\+bin\\+cmstart\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+HDX\\+bin\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+System32\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="902020" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.006</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Detect Virtualbox Driver Installation OR Starting Of VMs</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VBoxRT\.dll,RTR3Init|VBoxC\.dll|VBoxDrv\.sys</field>
    </rule>
    <rule id="902021" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.006</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Detect Virtualbox Driver Installation OR Starting Of VMs</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)startvm|controlvm</field>
    </rule>
    <rule id="902022" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Suspicious VBoxDrvInst.exe Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VBoxDrvInst\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)driver</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)executeinf</field>
    </rule>
    <rule id="902023" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1059</id>
        </mitre>
        <description>VMToolsd Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)Cmd\.Exe|cscript\.exe|MSHTA\.EXE|PowerShell\.EXE|pwsh\.dll|REGSVR32\.EXE|RUNDLL32\.EXE|wscript\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+poweron\-vm\-default\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+poweroff\-vm\-default\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+resume\-vm\-default\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+suspend\-vm\-default\.bat</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="902024" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of VsCode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+code\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+cscript\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902025" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of VsCode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+code\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-Expressions|IEX|Invoke\-Command|ICM|DownloadString|rundll32|regsvr32|wscript|cscript</field>
    </rule>
    <rule id="902026" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of VsCode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+code\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|:\\+Temp\\+</field>
    </rule>
    <rule id="902027" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)None</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ tunnel)$</field>
    </rule>
    <rule id="902028" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ tunnel</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-name\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-accept\-server\-license\-terms</field>
    </rule>
    <rule id="902029" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\ tunnel)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)code\-server\.cmd</field>
    </rule>
    <rule id="902030" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Shell Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+server\\+node\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.vscode\-server</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+terminal\\+browser\\+media\\+shellIntegration\.ps1</field>
    </rule>
    <rule id="902031" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Shell Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+server\\+node\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.vscode\-server</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe|\\+bash\.exe)$</field>
    </rule>
    <rule id="902032" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)None</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ tunnel)$</field>
    </rule>
    <rule id="902033" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ tunnel</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-name\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-accept\-server\-license\-terms</field>
    </rule>
    <rule id="902034" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)internal\-run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel\-service\.log</field>
    </rule>
    <rule id="902035" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\-tunnel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\.exe)$</field>
    </rule>
    <rule id="902036" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\ tunnel)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)code\-server\.cmd</field>
    </rule>
    <rule id="902037" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+code\-tunnel\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+code\.exe)$</field>
    </rule>
    <rule id="902038" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Service Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)internal\-run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel\-service\.log</field>
    </rule>
    <rule id="902039" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious Vsls-Agent Command With AgentExtensionPath Load</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+vsls\-agent\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-agentExtensionPath</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Microsoft\.VisualStudio\.LiveShare\.Agent\.</field>
    </rule>
    <rule id="902040" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Wab Execution From Non Default Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wab\.exe|\\+wabmig\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Mail\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Mail\\+)</field>
    </rule>
    <rule id="902041" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Wab/Wabmig Unusual Parent Or Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe|\\+svchost\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wab\.exe|\\+wabmig\.exe)$</field>
    </rule>
    <rule id="902042" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Wab/Wabmig Unusual Parent Or Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wab\.exe|\\+wabmig\.exe)$</field>
    </rule>
    <rule id="902043" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1204</id>
        </mitre>
        <description>Potentially Suspicious WebDAV LNK Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+DavWWWRoot\\+</field>
    </rule>
    <rule id="902044" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+caddy\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+w3wp\.exe|\\+ws_tomcatservice\.exe)$</field>
    </rule>
    <rule id="902045" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902046" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)catalina\.jar|CATALINA_HOME</field>
    </rule>
    <rule id="902047" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
    </rule>
    <rule id="902048" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-hp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ a\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m</field>
    </rule>
    <rule id="902049" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)net</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ user\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /add</field>
    </rule>
    <rule id="902050" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)net</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ localgroup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ administrators\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/add</field>
    </rule>
    <rule id="902051" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ntdsutil\.exe|\\+ldifde\.exe|\\+adfind\.exe|\\+procdump\.exe|\\+Nanodump\.exe|\\+vssadmin\.exe|\\+fsutil\.exe)$</field>
    </rule>
    <rule id="902052" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-decode\ |\ \-NoP\ |\ \-W\ Hidden\ |\ /decode\ |\ /ticket:|\ sekurlsa|\.dmp\ full|\.downloadfile\(|\.downloadstring\(|FromBase64String|process\ call\ create|reg\ save\ |whoami\ /priv</field>
    </rule>
    <rule id="902053" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe|\\+php\-cgi\.exe|\\+nginx\.exe|\\+httpd\.exe|\\+caddy\.exe|\\+ws_tomcatservice\.exe)$</field>
    </rule>
    <rule id="902054" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902055" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)catalina\.jar|CATALINA_HOME</field>
    </rule>
    <rule id="902056" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)net\.exe|net1\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ user\ |\ use\ |\ group\ )</field>
    </rule>
    <rule id="902057" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)ping\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-n\ )</field>
    </rule>
    <rule id="902058" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\&amp;cd\&amp;echo|cd\ /d\ )</field>
    </rule>
    <rule id="902059" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wmic\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /node:</field>
    </rule>
    <rule id="902060" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dsquery\.exe|\\+find\.exe|\\+findstr\.exe|\\+ipconfig\.exe|\\+netstat\.exe|\\+nslookup\.exe|\\+pathping\.exe|\\+quser\.exe|\\+schtasks\.exe|\\+systeminfo\.exe|\\+tasklist\.exe|\\+tracert\.exe|\\+ver\.exe|\\+wevtutil\.exe|\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)dsquery\.exe|find\.exe|findstr\.exe|ipconfig\.exe|netstat\.exe|nslookup\.exe|pathping\.exe|quser\.exe|schtasks\.exe|sysinfo\.exe|tasklist\.exe|tracert\.exe|ver\.exe|VSSADMIN\.EXE|wevtutil\.exe|whoami\.exe</field>
    </rule>
    <rule id="902061" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ Test\-NetConnection\ |dir\ \\+</field>
    </rule>
    <rule id="902062" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+caddy\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+php\.exe|\\+tomcat\.exe|\\+UMWorkerProcess\.exe|\\+w3wp\.exe|\\+ws_TomcatService\.exe)$</field>
    </rule>
    <rule id="902063" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902064" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)CATALINA_HOME|catalina\.home|catalina\.jar</field>
    </rule>
    <rule id="902065" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+arp\.exe|\\+at\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+certutil\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+dsget\.exe|\\+hostname\.exe|\\+nbtstat\.exe|\\+net\.exe|\\+net1\.exe|\\+netdom\.exe|\\+netsh\.exe|\\+nltest\.exe|\\+ntdutil\.exe|\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+qprocess\.exe|\\+query\.exe|\\+qwinsta\.exe|\\+reg\.exe|\\+rundll32\.exe|\\+sc\.exe|\\+sh\.exe|\\+wmic\.exe|\\+wscript\.exe|\\+wusa\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:Windows\\+system32\\+cmd\.exe\ /c\ C:\\+ManageEngine\\+ADManager\ "Plus\\+ES\\+bin\\+elasticsearch\.bat\ \-Enode\.name=RMP\-NODE1\ \-pelasticsearch\-pid\.txt)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)sc\ query</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)ADManager\ Plus</field>
    </rule>
    <rule id="902066" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+caddy\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+w3wp\.exe|\\+ws_tomcatservice\.exe)$</field>
    </rule>
    <rule id="902067" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902068" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)CATALINA_HOME|catalina\.jar</field>
    </rule>
    <rule id="902069" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)perl\ \-\-help|perl\ \-h|python\ \-\-help|python\ \-h|python3\ \-\-help|python3\ \-h|wget\ \-\-help</field>
    </rule>
    <rule id="902070" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via WER</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Werfault\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)WerFault\.exe</field>
        <field name="win.eventdata.parentUser" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ip\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-s\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+lsass\.exe</field>
    </rule>
    <rule id="902071" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Child Process Of Wermgr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+ipconfig\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+netstat\.exe|\\+nslookup\.exe|\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+systeminfo\.exe|\\+whoami\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902072" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Execution Location Of Wermgr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="902073" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)whoami\.exe</field>
    </rule>
    <rule id="902074" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution With Output Option</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)whoami\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /FO\ CSV|\ \-FO\ CSV</field>
    </rule>
    <rule id="902075" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution With Output Option</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)whoami.+&gt;</field>
    </rule>
    <rule id="902076" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)whoami\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="902077" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)whoami\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\ Monitoring\ Agent\\+Agent\\+MonitoringHost\.exe)$</field>
    </rule>
    <rule id="902078" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Suspicious WindowsTerminal Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WindowsTerminal\.exe|\\+wt\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+regsvr32\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+csc\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Users\\+Public\\+|\\+Downloads\\+|\\+Desktop\\+|\\+AppData\\+Local\\+Temp\\+|\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ iex\ |\ icm|Invoke\-|Import\-Module\ |ipmo\ |DownloadString\(|\ /c\ |\ /k\ |\ /r\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Import\-Module</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Microsoft\.VisualStudio\.DevShell\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Enter\-VsDevShell</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Packages\\+Microsoft\.WindowsTerminal_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+LocalState\\+settings\.json</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Common7\\+Tools\\+VsDevCmd\.bat</field>
    </rule>
    <rule id="902079" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Winrar Execution in Non-Standard Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe|\\+winrar\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Command\ line\ RAR</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+UnRAR\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+WinRAR\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WinRAR\\+</field>
    </rule>
    <rule id="902080" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Winrar Execution in Non-Standard Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe|\\+winrar\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Command\ line\ RAR</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="902081" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)winrm</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)format:pretty|format:"pretty"|format:"text"|format:text</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="902082" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Remote PowerShell Session Host Process (WinRM)</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
    </rule>
    <rule id="902083" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1190</id>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Processes Spawned by WinRM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+sh\.exe|\\+bash\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+schtasks\.exe|\\+certutil\.exe|\\+whoami\.exe|\\+bitsadmin\.exe)$</field>
    </rule>
    <rule id="902084" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Wlrmdr.EXE Uncommon Argument Or Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wlrmdr\.exe)$</field>
    </rule>
    <rule id="902085" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Wlrmdr.EXE Uncommon Argument Or Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wlrmdr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)WLRMNDR\.EXE</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-s\ |\-f\ |\-t\ |\-m\ |\-a\ |\-u\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+winlogon\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\-</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="902086" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>New ActiveScriptEventConsumer Created Via Wmic.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ActiveScriptEventConsumer</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ CREATE\ )</field>
    </rule>
    <rule id="902087" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Process Reconnaissance Via Wmic.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WMIC\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wmic\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)process</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)call</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)create</field>
    </rule>
    <rule id="902088" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>WMIC Remote Command Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WMIC\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wmic\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/node:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/node:127\.0\.0\.1\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/node:localhost\ )</field>
    </rule>
    <rule id="902089" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Suspicious Process Created Via Wmic.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:process\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:call\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32|bitsadmin|regsvr32|cmd\.exe\ /c\ |cmd\.exe\ /k\ |cmd\.exe\ /r\ |cmd\ /c\ |cmd\ /k\ |cmd\ /r\ |powershell|pwsh|certutil|cscript|wscript|mshta|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+|%temp%|%tmp%|%ProgramData%|%appdata%|%comspec%|%localappdata%</field>
    </rule>
    <rule id="902090" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)wmic</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:product\ where\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)call</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)uninstall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/nointeractive</field>
    </rule>
    <rule id="902091" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)wmic</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:caption\ like\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)call\ delete|call\ terminate</field>
    </rule>
    <rule id="902092" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:process\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:where\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
    </rule>
    <rule id="902093" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%carbon%|%cylance%|%endpoint%|%eset%|%malware%|%Sophos%|%symantec%|Antivirus|AVG\ |Carbon\ Black|CarbonBlack|Cb\ Defense\ Sensor\ 64\-bit|Crowdstrike\ Sensor|Cylance\ |Dell\ Threat\ Defense|DLP\ Endpoint|Endpoint\ Detection|Endpoint\ Protection|Endpoint\ Security|Endpoint\ Sensor|ESET\ File\ Security|LogRhythm\ System\ Monitor\ Service|Malwarebytes|McAfee\ Agent|Microsoft\ Security\ Client|Sophos\ Anti\-Virus|Sophos\ AutoUpdate|Sophos\ Credential\ Store|Sophos\ Management\ Console|Sophos\ Management\ Database|Sophos\ Management\ Server|Sophos\ Remote\ Management\ System|Sophos\ Update\ Manager|Threat\ Protection|VirusScan|Webroot\ SecureAnywhere|Windows\ Defender</field>
    </rule>
    <rule id="902094" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>XSL Script Execution Via WMIC.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-format</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:List</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:htable</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:hform</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:table</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:mof</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:value</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:rawxml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:csv</field>
    </rule>
    <rule id="902095" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>WmiPrvSE Spawned A Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSe\.exe)$</field>
        <field name="win.eventdata.logonId" negate="yes" type="pcre2">(?i)0x3e7</field>
        <field name="win.eventdata.logonId" negate="yes" type="pcre2">(?i)null</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.logonId" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="902096" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious WmiPrvSE Child Process</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+msiexec\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+verclsid\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902097" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious WmiPrvSE Child Process</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cscript|mshta|powershell|pwsh|regsvr32|rundll32|wscript</field>
    </rule>
    <rule id="902098" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious WmiPrvSE Child Process</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/i\ )</field>
    </rule>
    <rule id="902099" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Backdoor Exchange Transport Agent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+EdgeTransport\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+conhost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Bin\\+OleConverter\.exe)$</field>
    </rule>
    <rule id="902100" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence - Script Event Consumer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+wbem\\+scrcons\.exe</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
    </rule>
    <rule id="902101" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1542.001</id>
        </mitre>
        <description>UEFI Persistence Via Wpbbin - ProcessCreation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+wpbbin\.exe</field>
    </rule>
    <rule id="902102" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
    </rule>
    <rule id="902103" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="902104" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32|regsvr32|msiexec</field>
    </rule>
    <rule id="902105" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)UpdatePerUserSystemParameters</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)PrintUIEntry</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)ClearMyTracksByProcess</field>
    </rule>
    <rule id="902106" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>WSL Child Process Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe|\\+wslhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902107" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>WSL Child Process Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe|\\+wslhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|C:\\+Users\\+Public\\+|C:\\+Windows\\+Temp\\+|C:\\+Temp\\+|\\+Downloads\\+|\\+Desktop\\+</field>
    </rule>
    <rule id="902108" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Arbitrary Command Execution Using WSL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wsl\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e\ |\ \-\-exec|\ \-\-system|\ \-\-shell\-type\ |\ /mnt/c|\ \-\-user\ root|\ \-u\ root|\-\-debug\-shell</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-d\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-e\ kill\ )</field>
    </rule>
    <rule id="902109" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Windows Binary Executed From WSL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)[a-zA-Z]:\\+</field>
        <field name="win.eventdata.currentDirectory" negate="no" type="pcre2">(?i)\\+wsl\.localhost</field>
    </rule>
    <rule id="902110" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Proxy Execution Via Wuauclt.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wuauclt\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)wuauclt\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)UpdateDeploymentProvider</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RunHandlerComServer</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /UpdateDeploymentProvider\ UpdateDeploymentProvider\.dll\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ wuaueng\.dll\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+Packages\\+Preview\\+amd64\\+updatedeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+amd64\\+UpdateDeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+UpdateDeploy\.dll\ /ClassId\ )</field>
    </rule>
    <rule id="902111" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Wusa Extracting Cab Files</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wusa\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/extract:</field>
    </rule>
    <rule id="902112" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Wusa.EXE Executed By Parent Process Located In Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wusa\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+Appdata\\+Local\\+Temp\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="902113" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Wusa.EXE Executed By Parent Process Located In Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wusa\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="902114" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.012</id>
        </mitre>
        <description>Potential Process Hollowing Activity</description>
        <options>no_full_log</options>
        <group>windows,process_tampering,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.type" negate="no" type="pcre2">(?i)Image\ is\ replaced</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+wbem\\+WMIADAP\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+wbem\\+WMIADAP\.exe</field>
    </rule>
    <rule id="902115" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.012</id>
        </mitre>
        <description>Potential Process Hollowing Activity</description>
        <options>no_full_log</options>
        <group>windows,process_tampering,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.type" negate="no" type="pcre2">(?i)Image\ is\ replaced</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+Opera\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
    </rule>
    <rule id="902116" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1006</id>
        </mitre>
        <description>Potential Defense Evasion Via Raw Disk Access By Uncommon Tools</description>
        <options>no_full_log</options>
        <group>windows,raw_access_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="yes" type="pcre2">(?i)floppy</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+servicing\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SystemApps\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+uus\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Registry</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)System</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Executables\\+SSDUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+HostMetadata\\+NVMEHostmetadata\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)$</field>
    </rule>
    <rule id="902117" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1006</id>
        </mitre>
        <description>Potential Defense Evasion Via Raw Disk Access By Uncommon Tools</description>
        <options>no_full_log</options>
        <group>windows,raw_access_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+app\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+resources\\+app\\+git\\+mingw64\\+bin\\+git\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Keybase\\+upd\.exe</field>
    </rule>
    <rule id="902118" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential NetWire RAT Activity - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+software\\+NetWire</field>
    </rule>
    <rule id="902119" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Ursnif Malware Activity - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+AppDataLow\\+Software\\+Microsoft\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+Internet\ Explorer\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+RepService\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+IME\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+Edge\\+</field>
    </rule>
    <rule id="902120" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via New AMSI Providers - Registry</description>
        <options>no_full_log</options>
        <group>registry_add,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+AMSI\\+Providers\\+|\\+SOFTWARE\\+WOW6432Node\\+Microsoft\\+AMSI\\+Providers\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="902121" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential COM Object Hijacking Via TreatAs Subkey - Registry</description>
        <options>no_full_log</options>
        <group>registry_add,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKU\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+CLSID\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+TreatAs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+svchost\.exe</field>
    </rule>
    <rule id="902122" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Disk Cleanup Handler - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+VolumeCaches\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Active\ Setup\ Temp\ Folders)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+BranchCache)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Content\ Indexer\ Cleaner)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+D3D\ Shader\ Cache)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Delivery\ Optimization\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Device\ Driver\ Packages)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Diagnostic\ Data\ Viewer\ database\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Downloaded\ Program\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+DownloadsFolder)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Feedback\ Hub\ Archive\ log\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Internet\ Cache\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Language\ Pack)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\ Office\ Temp\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Offline\ Pages\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Old\ ChkDsk\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Previous\ Installations)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Recycle\ Bin)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+RetailDemo\ Offline\ Content)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Setup\ Log\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+System\ error\ memory\ dump\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+System\ error\ minidump\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Temporary\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Temporary\ Setup\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Temporary\ Sync\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Thumbnail\ Cache)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Update\ Cleanup)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Upgrade\ Discarded\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+User\ file\ versions)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ Defender)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ Error\ Reporting\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ ESD\ installation\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ Upgrade\ Log\ Files)$</field>
    </rule>
    <rule id="902123" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1037.001</id>
            <id>attack.persistence</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>Potential Persistence Via Logon Scripts - Registry</description>
        <options>no_full_log</options>
        <group>registry_add,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)UserInitMprLogonScript</field>
    </rule>
    <rule id="902124" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>PUA - Sysinternal Tool Execution - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
    </rule>
    <rule id="902125" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Suspicious Execution Of Renamed Sysinternals Tools - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Active\ Directory\ Explorer|\\+Handle|\\+LiveKd|\\+ProcDump|\\+Process\ Explorer|\\+PsExec|\\+PsLoggedon|\\+PsLoglist|\\+PsPasswd|\\+PsPing|\\+PsService|\\+SDelete</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsLoggedon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsLoggedon64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsPing\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsPing64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsService\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsService64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sdelete\.exe)$</field>
    </rule>
    <rule id="902126" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>PUA - Sysinternals Tools Execution - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Active\ Directory\ Explorer|\\+Handle|\\+LiveKd|\\+Process\ Explorer|\\+ProcDump|\\+PsExec|\\+PsLoglist|\\+PsPasswd|\\+SDelete|\\+Sysinternals</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
    </rule>
    <rule id="902127" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Folder Removed From Exploit Guard ProtectedFolders List - Registry</description>
        <options>no_full_log</options>
        <group>registry_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+ProtectedFolders</field>
    </rule>
    <rule id="902128" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Terminal Server Client Connection History Cleared - Registry</description>
        <options>no_full_log</options>
        <group>registry_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Terminal\ Server\ Client\\+Default\\+MRU</field>
    </rule>
    <rule id="902129" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Terminal Server Client Connection History Cleared - Registry</description>
        <options>no_full_log</options>
        <group>registry_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Terminal\ Server\ Client\\+Servers\\+</field>
    </rule>
    <rule id="902130" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Removal Of AMSI Provider Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\{2781761E\-28E0\-4109\-99FE\-B9D127C57AFE\}|\{A7C452EF\-8E9F\-42EB\-9F2B\-245613CA0DC9\})$</field>
    </rule>
    <rule id="902131" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Removal of Potential COM Hijacking Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+shell\\+open\\+command)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+svchost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Dropbox\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Dropbox\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+Wireshark_uninstaller\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+wireshark\-capture\-file\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Opera\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Opera\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+installer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)peazip</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+PeaZip\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Everything\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Everything\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Installer\\+MSI)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Java\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+installer\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Classes\\+WOW6432Node\\+CLSID\\+\{4299124F\-F2C3\-41b4\-9C73\-9236B2AD0E8F\}</field>
    </rule>
    <rule id="902132" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Removal Of Index Value to Hide Schedule Task - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Index</field>
    </rule>
    <rule id="902133" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Removal Of SD Value to Hide Schedule Task - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SD</field>
    </rule>
    <rule id="902134" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>Creation of a Local Hidden User Account by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SAM\\+SAM\\+Domains\\+Account\\+Users\\+Names\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
    </rule>
    <rule id="902135" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Leviathan Registry Key Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+ntkd</field>
    </rule>
    <rule id="902136" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>OceanLotus Registry Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Classes\\+CLSID\\+\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\+Model</field>
    </rule>
    <rule id="902137" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>OceanLotus Registry Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+AppXc52346ec40fb4061ad96be0e6cb7d16a\\+|Classes\\+AppX3bbba44c6cae4d9695755183472171e2\\+|Classes\\+CLSID\\+\{E3517E26\-8E93\-458D\-A6DF\-8030BC80528B\}\\+|Classes\\+CLSID\\+\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\+Model</field>
    </rule>
    <rule id="902138" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.g0049</id>
            <id>attack.t1053.005</id>
            <id>attack.s0111</id>
            <id>attack.t1543.003</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>OilRig APT Registry Persistence</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+UMe|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+UT)$</field>
    </rule>
    <rule id="902139" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Pandemic Registry Key</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+services\\+null\\+Instance</field>
    </rule>
    <rule id="902140" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Via Wsreset</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\+Shell\\+open\\+command)$</field>
    </rule>
    <rule id="902141" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218.003</id>
            <id>attack.g0069</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP Execution Registry Event</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+cmmgr32\.exe</field>
    </rule>
    <rule id="902142" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Security Events Logging Adding Reg Key MiniNt</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+MiniNt</field>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+MiniNt</field>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)CreateKey</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+MiniNt</field>
    </rule>
    <rule id="902143" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Wdigest CredGuard Registry Modification</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+IsCredGuardEnabled)$</field>
    </rule>
    <rule id="902144" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Esentutl Volume Shadow Copy Service Keys</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)System\\+CurrentControlSet\\+Services\\+VSS</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:esentutl\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)System\\+CurrentControlSet\\+Services\\+VSS\\+Start</field>
    </rule>
    <rule id="902145" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>Windows Credential Editor Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Services\\+WCESERVICE\\+Start</field>
    </rule>
    <rule id="902146" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1608</id>
        </mitre>
        <description>HybridConnectionManager Service Installation - Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+HybridConnectionManager</field>
    </rule>
    <rule id="902147" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1608</id>
        </mitre>
        <description>HybridConnectionManager Service Installation - Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Microsoft\.HybridConnectionManager\.Listener\.exe</field>
    </rule>
    <rule id="902148" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Qakbot Registry Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Software\\+firm\\+soft\\+Name)$</field>
    </rule>
    <rule id="902149" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Entries For Azorult Malware</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)12|13</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SYSTEM\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+services\\+localNETService)$</field>
    </rule>
    <rule id="902150" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>PrinterNightmare Mimikatz Driver Name</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments\\+Windows\ x64\\+Drivers\\+Version\-3\\+QMS\ 810\\+|\\+Control\\+Print\\+Environments\\+Windows\ x64\\+Drivers\\+Version\-3\\+mimikatz</field>
    </rule>
    <rule id="902151" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>PrinterNightmare Mimikatz Driver Name</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)legitprinter</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments\\+Windows</field>
    </rule>
    <rule id="902152" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>PrinterNightmare Mimikatz Driver Name</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments|\\+CurrentVersion\\+Print\\+Printers</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Gentil\ Kiwi|mimikatz\ printer|Kiwi\ Legit\ Printer</field>
    </rule>
    <rule id="902153" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Path To Screensaver Binary Modified</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Control\ Panel\\+Desktop\\+SCRNSAVE\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
    </rule>
    <rule id="902154" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Narrator's Feedback-Hub Persistence</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)DeleteValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppXypsaf9f1qserqevf0sws76dx4k9a5206\\+Shell\\+open\\+command\\+DelegateExecute)$</field>
    </rule>
    <rule id="902155" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Narrator's Feedback-Hub Persistence</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppXypsaf9f1qserqevf0sws76dx4k9a5206\\+Shell\\+open\\+command\\+$Default$)$</field>
    </rule>
    <rule id="902156" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>NetNTLM Downgrade Attack - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SYSTEM\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Lsa</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+lmcompatibilitylevel|\\+NtlmMinClientSec|\\+RestrictSendingNTLMTraffic)$</field>
    </rule>
    <rule id="902157" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.009</id>
        </mitre>
        <description>New DLL Added to AppCertDlls Registry Key</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+Session\ Manager\\+AppCertDlls</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)HKLM\\+SYSTEM\\+CurentControlSet\\+Control\\+Session\ Manager\\+AppCertDlls</field>
    </rule>
    <rule id="902158" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.010</id>
        </mitre>
        <description>New DLL Added to AppInit_DLLs Registry Key</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls|\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls)$</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls|\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902159" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.002</id>
        </mitre>
        <description>Office Application Startup - Office Test</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Office\ test\\+Special\\+Perf</field>
    </rule>
    <rule id="902160" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Windows Registry Trust Record Modification</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Security\\+Trusted\ Documents\\+TrustRecords</field>
    </rule>
    <rule id="902161" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Registry Persistence Mechanisms in Recycle Bin</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)RenameKey</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)\\+CLSID\\+\{645FF040\-5081\-101B\-9F08\-00AA002F954E\}\\+shell\\+open</field>
    </rule>
    <rule id="902162" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Registry Persistence Mechanisms in Recycle Bin</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+\{645FF040\-5081\-101B\-9F08\-00AA002F954E\}\\+shell\\+open\\+command\\+$Default$</field>
    </rule>
    <rule id="902163" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New PortProxy Registry Entry Added</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+PortProxy\\+v4tov4\\+tcp\\+</field>
    </rule>
    <rule id="902164" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RedMimicry Winnti Playbook Registry Manipulation</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+SOFTWARE\\+Microsoft\\+HTMLHelp\\+data</field>
    </rule>
    <rule id="902165" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>WINEKEY Registry Modification</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Backup\ Mgr)$</field>
    </rule>
    <rule id="902166" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Run Once Task Configuration in Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Active\ Setup\\+Installed\ Components</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+StubPath)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Installer\\+chrmstp\.exe"\ \-\-configure\-user\-settings\ \-\-verbose\-logging\ \-\-system\-level</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+Installer\\+setup\.exe"\ \-\-configure\-user\-settings\ \-\-verbose\-logging\ \-\-system\-level\ \-\-msedge\ \-\-channel=stable)$</field>
    </rule>
    <rule id="902167" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Shell Open Registry Keys Manipulation</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Classes\\+ms\-settings\\+shell\\+open\\+command\\+SymbolicLinkValue)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Software\\+Classes\\+\{</field>
    </rule>
    <rule id="902168" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Shell Open Registry Keys Manipulation</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Classes\\+ms\-settings\\+shell\\+open\\+command\\+DelegateExecute)$</field>
    </rule>
    <rule id="902169" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Shell Open Registry Keys Manipulation</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Classes\\+ms\-settings\\+shell\\+open\\+command\\+$Default$|Classes\\+exefile\\+shell\\+open\\+command\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902170" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via LSASS SilentProcessExit Technique</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Microsoft\\+Windows\ NT\\+CurrentVersion\\+SilentProcessExit\\+lsass\.exe</field>
    </rule>
    <rule id="902171" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.005</id>
        </mitre>
        <description>Security Support Provider (SSP) Added to LSA Configuration</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Control\\+Lsa\\+Security\ Packages|\\+Control\\+Lsa\\+OSConfig\\+Security\ Packages)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+msiexec\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+syswow64\\+MsiExec\.exe</field>
    </rule>
    <rule id="902172" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.008</id>
            <id>car.2014-11-003</id>
            <id>car.2014-11-008</id>
        </mitre>
        <description>Sticky Key Like Backdoor Usage - Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+sethc\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+utilman\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+osk\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+Magnify\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+Narrator\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+DisplaySwitch\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+atbroker\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+HelpPane\.exe\\+Debugger)$</field>
    </rule>
    <rule id="902173" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Atbroker Registry Change</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+ATs|Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+Configuration</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+atbroker\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+Configuration</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Installer\\+MSI)</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+ATs</field>
    </rule>
    <rule id="902174" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Suspicious Run Key from Download</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Downloads\\+|\\+Temporary\ Internet\ Files\\+Content\.Outlook\\+|\\+Local\ Settings\\+Temporary\ Internet\ Files\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+</field>
    </rule>
    <rule id="902175" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1547.008</id>
        </mitre>
        <description>DLL Load via LSASS</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Services\\+NTDS\\+DirectoryServiceExtPt|\\+CurrentControlSet\\+Services\\+NTDS\\+LsaDbExtPt</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+lsass\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%systemroot%%\\+system32\\+ntdsa\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%systemroot%%\\+system32\\+lsadb\.dll</field>
    </rule>
    <rule id="902176" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+WBEM\\+CIMOM\\+AllowAnonymousCallback</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902177" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Registry Persistence via Service in Safe Mode</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+SafeBoot\\+Minimal\\+|\\+Control\\+SafeBoot\\+Network\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Service</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+msiexec\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Control\\+SafeBoot\\+Minimal\\+SAVService\\+$Default$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Control\\+SafeBoot\\+Network\\+SAVService\\+$Default$)$</field>
    </rule>
    <rule id="902178" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.010</id>
        </mitre>
        <description>Add Port Monitor Persistence in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Monitors\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+spoolsv\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Control\\+Print\\+Monitors\\+CutePDF\ Writer\ Monitor\ v4\.0\\+Driver</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)cpwmon64_v40\.dll</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Control\\+Print\\+Monitors\\+MONVNC\\+Driver</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Control\\+Print\\+Environments\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Drivers\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+VNC\ Printer</field>
    </rule>
    <rule id="902179" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Add Debugger Entry To AeDebug For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AeDebug\\+Debugger</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)"C:\\+WINDOWS\\+system32\\+vsjitdebugger\.exe"\ \-p\ %ld\ \-e\ %ld\ \-j\ 0x%p</field>
    </rule>
    <rule id="902180" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Allow RDP Remote Assistance Feature</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:System\\+CurrentControlSet\\+Control\\+Terminal\ Server\\+fAllowToGetHelp)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902181" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI COM Server Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+CLSID\\+\{fdb00e52\-a214\-4aa1\-8fba\-4357bb0072ec\}\\+InProcServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%windir%\\+system32\\+amsi\.dll</field>
    </rule>
    <rule id="902182" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Classes Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Classes</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Folder\\+ShellEx\\+ExtShellFolderViews|\\+Folder\\+ShellEx\\+DragDropHandlers|\\+Folder\\+Shellex\\+ColumnHandlers|\\+Filter|\\+Exefile\\+Shell\\+Open\\+Command\\+$Default$|\\+Directory\\+Shellex\\+DragDropHandlers|\\+Directory\\+Shellex\\+CopyHookHandlers|\\+CLSID\\+\{AC757296\-3522\-4E11\-9862\-C17BE5A1767E\}\\+Instance|\\+CLSID\\+\{ABE3B9A4\-257D\-4B97\-BD1A\-294AF496222E\}\\+Instance|\\+CLSID\\+\{7ED96837\-96F0\-4812\-B211\-F13C24117ED3\}\\+Instance|\\+CLSID\\+\{083863F1\-70DE\-11d0\-BD40\-00A0C911CE86\}\\+Instance|\\+Classes\\+AllFileSystemObjects\\+ShellEx\\+DragDropHandlers|\\+\.exe|\\+\.cmd|\\+ShellEx\\+PropertySheetHandlers|\\+ShellEx\\+ContextMenuHandlers</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{807583E5\-5146\-11D5\-A672\-00B0D022E945\}</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+drvinst\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+lnkfile\\+shellex\\+ContextMenuHandlers\\+</field>
    </rule>
    <rule id="902183" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Common Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ CE\ Services\\+AutoStart|\\+Software\\+Wow6432Node\\+Microsoft\\+Command\ Processor\\+Autorun|\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Active\ Setup\\+Installed\ Components|\\+SOFTWARE\\+Microsoft\\+Windows\ CE\ Services\\+AutoStartOnDisconnect|\\+SOFTWARE\\+Microsoft\\+Windows\ CE\ Services\\+AutoStartOnConnect|\\+SYSTEM\\+Setup\\+CmdLine|\\+Software\\+Microsoft\\+Ctf\\+LangBarAddin|\\+Software\\+Microsoft\\+Command\ Processor\\+Autorun|\\+SOFTWARE\\+Microsoft\\+Active\ Setup\\+Installed\ Components|\\+SOFTWARE\\+Classes\\+Protocols\\+Handler|\\+SOFTWARE\\+Classes\\+Protocols\\+Filter|\\+SOFTWARE\\+Classes\\+Htmlfile\\+Shell\\+Open\\+Command\\+$Default$|\\+Environment\\+UserInitMprLogonScript|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+Control\ Panel\\+Desktop\\+Scrnsave\.exe|\\+Software\\+Microsoft\\+Internet\ Explorer\\+UrlSearchHooks|\\+SOFTWARE\\+Microsoft\\+Internet\ Explorer\\+Desktop\\+Components|\\+Software\\+Classes\\+Clsid\\+\{AB8902B4\-09CA\-4bb6\-B78D\-A8F59079A8D5\}\\+Inprocserver32|\\+Control\ Panel\\+Desktop\\+Scrnsave\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Office\\+ClickToRun\\+REGISTRY\\+MACHINE\\+Software\\+Classes\\+PROTOCOLS\\+Handler\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ClickToRunStore\\+HKMU\\+SOFTWARE\\+Classes\\+PROTOCOLS\\+Handler\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{314111c7\-a502\-11d2\-bbca\-00c04f8ec294\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{3459B272\-CC19\-4448\-86C9\-DDC3B4B2FAD3\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{42089D2D\-912D\-4018\-9087\-2B87803E93FB\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{5504BE45\-A83B\-4808\-900A\-3A5C36E7F77A\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{807583E5\-5146\-11D5\-A672\-00B0D022E945\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Active\ Setup\\+Installed\ Components\\+\{8A69D345\-D564\-463c\-AFF1\-A69D9E530F96\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Active\ Setup\\+Installed\ Components\\+\{9459C573\-B17A\-45AE\-9F64\-1857B5D58CEE\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Software\\+Microsoft\\+Active\ Setup\\+Installed\ Components\\+\{89820200\-ECBD\-11cf\-8B85\-00AA005B4383\}</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+poqexec\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
    </rule>
    <rule id="902184" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>CurrentControlSet Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+Control</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Terminal\ Server\\+WinStations\\+RDP\-Tcp\\+InitialProgram|\\+Terminal\ Server\\+Wds\\+rdpwd\\+StartupPrograms|\\+SecurityProviders\\+SecurityProviders|\\+SafeBoot\\+AlternateShell|\\+Print\\+Providers|\\+Print\\+Monitors|\\+NetworkProvider\\+Order|\\+Lsa\\+Notification\ Packages|\\+Lsa\\+Authentication\ Packages|\\+BootVerificationProgram\\+ImagePath</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+spoolsv\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Print\\+Monitors\\+CutePDF\ Writer\ Monitor</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)cpwmon64_v40\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)CutePDF\ Writer</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+spoolsv\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Print\\+Monitors\\+Appmon\\+Ports\\+Microsoft\.Office\.OneNote_</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+poqexec\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+NetworkProvider\\+Order\\+ProviderOrder)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+spoolsv\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Print\\+Monitors\\+MONVNC\\+Driver)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)VNCpm\.dll</field>
    </rule>
    <rule id="902185" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>CurrentVersion Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ShellServiceObjectDelayLoad|\\+Run\\+|\\+RunOnce\\+|\\+RunOnceEx\\+|\\+RunServices\\+|\\+RunServicesOnce\\+|\\+Policies\\+System\\+Shell|\\+Policies\\+Explorer\\+Run|\\+Group\ Policy\\+Scripts\\+Startup|\\+Group\ Policy\\+Scripts\\+Shutdown|\\+Group\ Policy\\+Scripts\\+Logon|\\+Group\ Policy\\+Scripts\\+Logoff|\\+Explorer\\+ShellServiceObjects|\\+Explorer\\+ShellIconOverlayIdentifiers|\\+Explorer\\+ShellExecuteHooks|\\+Explorer\\+SharedTaskScheduler|\\+Explorer\\+Browser\ Helper\ Objects|\\+Authentication\\+PLAP\ Providers|\\+Authentication\\+Credential\ Providers|\\+Authentication\\+Credential\ Provider\ Filters</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+NgcFirst\\+ConsecutiveSwitchCount)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+Update\\+OneDriveSetup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Roaming\\+Spotify\\+Spotify\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+devicecensus\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+winsat\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\ OneDrive\\+StandaloneUpdater\\+OneDriveSetup\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\ OneDrive\\+Update\\+OneDriveSetup\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ OneDrive\\+Update\\+OneDriveSetup\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+KeePass\ Password\ Safe\ 2\\+ShInstUtil\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Everything\\+Everything\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+LogonUI\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{D6886603\-9D2F\-4EB2\-B667\-1971041FA96B\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{BEC09223\-B018\-416D\-A0AC\-523971B639F5\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{8AF662BF\-65A0\-4D0A\-A540\-A338A999D36F\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{27FBDB57\-B613\-4AF2\-9D7E\-4FA7A66C21AD\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeUpdate\\+Install\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+regsvr32\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)DropboxExt</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:A251\-47B7\-93E1\-CDD82E34AF8B\})$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Opera\ Browser\ Assistant)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Opera\\+assistant\\+browser_assistant\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+iTunesHelper)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)"C:\\+Program\ Files\\+iTunes\\+iTunesHelper\.exe"</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+zoommsirepair)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)"C:\\+Program\ Files\\+Zoom\\+bin\\+installer\.exe"\ /repair</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Greenshot)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Greenshot\\+Greenshot\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+GoogleDriveFS)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+GoogleDriveFS\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)GoogleDrive</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{CFE8B367\-77A7\-41D7\-9C90\-75D16D7DC6B6\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{A8E52322\-8734\-481D\-A7E2\-27B309EF8D56\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{C973DA94\-CBDF\-4E77\-81D1\-E5B794FBD146\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{51EF1569\-67EE\-4AD6\-9646\-E726C3FFC8A2\}</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+cmd\.exe\ /q\ /c\ rmdir\ /s\ /q\ "C:\\+Users\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+cmd\.exe\ /q\ /c\ del\ /q\ "C:\\+Users\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+\{</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Package\ Cache\\+\{</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\}\\+python\-</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.exe"\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Defender\\+MsMpEng\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+Update\.exe\ \-\-processStart\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+userinit\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)ctfmon\.exe\ /n</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+AVG\\+Antivirus\\+Setup\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)"C:\\+Program\ Files\\+AVG\\+Antivirus\\+AvLaunch\.exe"\ /gui</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)"C:\\+Program\ Files\ $x86$\\+AVG\\+Antivirus\\+AvLaunch\.exe"\ /gui</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\{472083B0\-C522\-11CF\-8763\-00608CC02F24\}</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\-64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+aurora\-dashboard)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Aurora\-Agent\\+tools\\+aurora\-dashboard\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Everything)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+Everything\\+Everything\.exe"\ \-startup)$</field>
    </rule>
    <rule id="902186" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>CurrentVersion NT Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Winlogon\\+VmApplet|\\+Winlogon\\+Userinit|\\+Winlogon\\+Taskman|\\+Winlogon\\+Shell|\\+Winlogon\\+GpExtensions|\\+Winlogon\\+AppSetup|\\+Winlogon\\+AlternateShells\\+AvailableShells|\\+Windows\\+IconServiceLib|\\+Windows\\+Appinit_Dlls|\\+Image\ File\ Execution\ Options|\\+Font\ Drivers|\\+Drivers32|\\+Windows\\+Run|\\+Windows\\+Load</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Image\ File\ Execution\ Options\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+DisableExceptionChainValidation)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+MitigationOptions)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Temp\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MicrosoftEdgeUpdate\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ClickToRunStore\\+HKLM\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ClickToRun\\+REGISTRY\\+MACHINE\\+Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+svchost\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Winlogon\\+GPExtensions\\+\{827D319E\-6EAC\-11D2\-A4EA\-00C04F79F83A\}\\+PreviousPolicyAreas</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Winlogon\\+GPExtensions\\+\{827D319E\-6EAC\-11D2\-A4EA\-00C04F79F83A\}\\+MaxNoGPOListChangesInterval</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)DWORD\ $0x00000009$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)DWORD\ $0x000003c0$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+StandaloneUpdater\\+OneDriveSetup\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+Delete\ Cached\ Update\ Binary)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+cmd\.exe\ /q\ /c\ del\ /q\ "C:\\+Users\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+Update\\+OneDriveSetup\.exe")$</field>
    </rule>
    <rule id="902187" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Internet Explorer Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Wow6432Node\\+Microsoft\\+Internet\ Explorer|\\+Software\\+Microsoft\\+Internet\ Explorer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Toolbar|\\+Extensions|\\+Explorer\ Bars</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{2670000A\-7350\-4f3c\-8081\-5663EE0C6C49\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{31D09BA0\-12F5\-4CCE\-BE8A\-2923E76605DA\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{789FE86F\-6FC4\-46A1\-9849\-EDE0DB0C95CA\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{A95fe080\-8f5d\-11d2\-a20b\-00aa003c157a\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Toolbar\\+ShellBrowser\\+ITBar7Layout)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Toolbar\\+ShowDiscussionButton)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Toolbar\\+Locked)$</field>
    </rule>
    <rule id="902188" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Office Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Wow6432Node\\+Microsoft\\+Office|\\+Software\\+Microsoft\\+Office</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Word\\+Addins|\\+PowerPoint\\+Addins|\\+Outlook\\+Addins|\\+Onenote\\+Addins|\\+Excel\\+Addins|\\+Access\\+Addins|test\\+Special\\+Perf</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+msiexec\.exe)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+regsvr32\.exe)</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+AdHocReportingExcelClientLib\.AdHocReportingExcelClientAddIn\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+ExcelPlugInShell\.PowerMapConnect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+NativeShim\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+NativeShim\.InquireConnector\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+PowerPivotExcelClientAddIn\.NativeEntry\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+AccessAddin\.DC\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+ColleagueImport\.ColleagueImportAddin\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+EvernoteCC\.EvernoteContactConnector\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+EvernoteOLRD\.Connect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+Microsoft\.VbaAddinForOutlook\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OcOffice\.OcForms\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OneNote\.OutlookAddin</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OscAddin\.Connect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OutlookChangeNotifier\.Connect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+UCAddin\.LyncAddin\.1</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+UCAddin\.UCAddin\.1</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+UmOutlookAddin\.FormRegionAddin\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+AVG\\+Antivirus\\+RegSvr\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Office\\+Outlook\\+Addins\\+Antivirus\.AsOutExt\\+</field>
    </rule>
    <rule id="902189" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
            <id>attack.t1546.009</id>
        </mitre>
        <description>Session Manager Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+Session\ Manager</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SetupExecute|\\+S0InitialCommand|\\+KnownDlls|\\+Execute|\\+BootExecute|\\+AppCertDlls</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902190" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>System Scripts Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Policies\\+Microsoft\\+Windows\\+System\\+Scripts</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Startup|\\+Shutdown|\\+Logon|\\+Logoff</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902191" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>WinSock2 Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+WinSock2\\+Parameters</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Protocol_Catalog9\\+Catalog_Entries|\\+NameSpace_Catalog5\\+Catalog_Entries</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+MsiExec\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+syswow64\\+MsiExec\.exe</field>
    </rule>
    <rule id="902192" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Wow6432Node CurrentVersion Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ShellServiceObjectDelayLoad|\\+Run\\+|\\+RunOnce\\+|\\+RunOnceEx\\+|\\+RunServices\\+|\\+RunServicesOnce\\+|\\+Explorer\\+ShellServiceObjects|\\+Explorer\\+ShellIconOverlayIdentifiers|\\+Explorer\\+ShellExecuteHooks|\\+Explorer\\+SharedTaskScheduler|\\+Explorer\\+Browser\ Helper\ Objects</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeUpdate\\+Install\\+\{</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+setup\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+OfficeClickToRun\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Office\\+ClickToRun\\+REGISTRY\\+MACHINE\\+Software\\+Wow6432Node\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Explorer\\+Browser\ Helper\ Objects\\+\{31D09BA0\-12F5\-4CCE\-BE8A\-2923E76605DA\}\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\-A251\-47B7\-93E1\-CDD82E34AF8B\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)grpconv\ \-o</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Dropbox\\+Client\\+Dropbox\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\ /systemstartup</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Explorer\\+Browser\ Helper\ Objects\\+\{92EF2EAD\-A7CE\-4424\-B0DB\-499CF856608E\}\\+NoExplorer)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+windowsdesktop\-runtime\-</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+WOW6432Node\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+\{e2d1ae32\-dd1d\-4ad7\-a298\-10e42e7840fc\})$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+WOW6432Node\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+\{7037b699\-7382\-448c\-89a7\-4765961d2537\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+ProgramData\\+Package\ Cache\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.exe"\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+ProgramData\\+Package\ Cache\\+\{d21a4f20\-968a\-4b0c\-bf04\-a38da5f06e41\}\\+windowsdesktop\-runtime\-)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+VC_redist\.x64\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\}\\+VC_redist\.x64\.exe"\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Package\ Cache)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+winsdksetup\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+windowsdesktop\-runtime\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AspNetCoreSharedFrameworkBundle\-</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Installer\\+MSI)</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Explorer\\+Browser\ Helper\ Objects</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+msiexec\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+</field>
    </rule>
    <rule id="902193" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Wow6432Node Classes Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Wow6432Node\\+Classes</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Folder\\+ShellEx\\+ExtShellFolderViews|\\+Folder\\+ShellEx\\+DragDropHandlers|\\+Folder\\+ShellEx\\+ColumnHandlers|\\+Directory\\+Shellex\\+DragDropHandlers|\\+Directory\\+Shellex\\+CopyHookHandlers|\\+CLSID\\+\{AC757296\-3522\-4E11\-9862\-C17BE5A1767E\}\\+Instance|\\+CLSID\\+\{ABE3B9A4\-257D\-4B97\-BD1A\-294AF496222E\}\\+Instance|\\+CLSID\\+\{7ED96837\-96F0\-4812\-B211\-F13C24117ED3\}\\+Instance|\\+CLSID\\+\{083863F1\-70DE\-11d0\-BD40\-00A0C911CE86\}\\+Instance|\\+AllFileSystemObjects\\+ShellEx\\+DragDropHandlers|\\+ShellEx\\+PropertySheetHandlers|\\+ShellEx\\+ContextMenuHandlers</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902194" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Wow6432Node Windows NT CurrentVersion Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ NT\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Windows\\+Appinit_Dlls|\\+Image\ File\ Execution\ Options|\\+Drivers32</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+REGISTRY\\+MACHINE\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options</field>
    </rule>
    <rule id="902195" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New BgInfo.EXE Custom DB Path Registry Configuration</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Software\\+Winternals\\+BGInfo\\+Database)$</field>
    </rule>
    <rule id="902196" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New BgInfo.EXE Custom VBScript Registry Configuration</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Winternals\\+BGInfo\\+UserFields\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:4)</field>
    </rule>
    <rule id="902197" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New BgInfo.EXE Custom WMI Query Registry Configuration</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Winternals\\+BGInfo\\+UserFields\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:6)</field>
    </rule>
    <rule id="902198" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Blackbyte Ransomware Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+LocalAccountTokenFilterPolicy|HKLM\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+EnableLinkedConnections|HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+FileSystem\\+LongPathsEnabled</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902199" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC Using DelegateExecute</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+open\\+command\\+DelegateExecute)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902200" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.010</id>
        </mitre>
        <description>Bypass UAC Using Event Viewer</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:_Classes\\+mscfile\\+shell\\+open\\+command\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%SystemRoot%\\+system32\\+mmc\.exe\ "%1"\ %)</field>
    </rule>
    <rule id="902201" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC Using SilentCleanup Task</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Environment\\+windir)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%SystemRoot%</field>
    </rule>
    <rule id="902202" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.010</id>
        </mitre>
        <description>Default RDP Port Changed to Non Standard Port</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Control\\+Terminal\ Server\\+WinStations\\+RDP\-Tcp\\+PortNumber)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)DWORD\ $0x00000d3d$</field>
    </rule>
    <rule id="902203" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>IE Change Domain Zone</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings\\+ZoneMap\\+Domains\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)DWORD\ $0x00000000$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)DWORD\ $0x00000001$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902204" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Sysmon Driver Altitude Change</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Instances\\+Sysmon\ Instance\\+Altitude)$</field>
    </rule>
    <rule id="902205" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Change Winevt Channel Access Permission Via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ChannelAccess)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)$A;;0x1;;;LA$|$A;;0x1;;;SY$|$A;;0x5;;;BA$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+servicing\\+TrustedInstaller\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
    </rule>
    <rule id="902206" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>ClickOnce Trust Prompt Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+MICROSOFT\\+\.NETFramework\\+Security\\+TrustManager\\+PromptingLevel\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Internet|\\+LocalIntranet|\\+MyComputer|\\+TrustedSites|\\+UntrustedSites)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Enabled</field>
    </rule>
    <rule id="902207" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546</id>
            <id>attack.t1548</id>
        </mitre>
        <description>COM Hijack via Sdclt</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Classes\\+Folder\\+shell\\+open\\+command\\+DelegateExecute</field>
    </rule>
    <rule id="902208" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1564</id>
            <id>attack.t1112</id>
        </mitre>
        <description>CrashControl CrashDump Disabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SYSTEM\\+CurrentControlSet\\+Control\\+CrashControl</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902209" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Service Binary in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+System\\+CurrentControlSet\\+Services\\+)</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Start)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+Perflogs\\+|\\+ADMIN\$\\+|\\+Temp\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$|DWORD\ $0x00000001$|DWORD\ $0x00000002$</field>
    </rule>
    <rule id="902210" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Service Binary in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+System\\+CurrentControlSet\\+Services\\+)</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ImagePath)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+Perflogs\\+|\\+ADMIN\$\\+|\\+Temp\\+</field>
    </rule>
    <rule id="902211" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Service Binary in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Common\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Temp\\+</field>
    </rule>
    <rule id="902212" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Custom File Open Handler Executes PowerShell</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)shell\\+open\\+command\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\-command</field>
    </rule>
    <rule id="902213" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1574</id>
        </mitre>
        <description>Potential Registry Persistence Attempt Via DbgManagedDebugger</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+\.NETFramework\\+DbgManagedDebugger)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)"C:\\+Windows\\+system32\\+vsjitdebugger\.exe"\ PID\ %d\ APPDOM\ %d\ EXTEXT\ "%s"\ EVTHDL\ %d</field>
    </rule>
    <rule id="902214" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusions Added - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions</field>
    </rule>
    <rule id="902215" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:NoChangingWallpaper)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902216" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Wallpaper)$</field>
    </rule>
    <rule id="902217" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+WallpaperStyle)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)2</field>
    </rule>
    <rule id="902218" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
    </rule>
    <rule id="902219" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Hypervisor Enforced Code Integrity Disabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+DeviceGuard\\+HypervisorEnforcedCodeIntegrity|\\+Control\\+DeviceGuard\\+HypervisorEnforcedCodeIntegrity|\\+Control\\+DeviceGuard\\+Scenarios\\+HypervisorEnforcedCodeIntegrity\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902220" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DHCP Callout DLL Installation</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Services\\+DHCPServer\\+Parameters\\+CalloutDlls|\\+Services\\+DHCPServer\\+Parameters\\+CalloutEnabled)$</field>
    </rule>
    <rule id="902221" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Exploit Guard Network Protection on Windows Defender</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center\\+App\ and\ Browser\ protection\\+DisallowExploitProtectionOverride</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $00000001$</field>
    </rule>
    <rule id="902222" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled Windows Defender Eventlog</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Windows\ Defender/Operational\\+Enabled</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902223" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable PUA Protection on Windows Defender</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Policies\\+Microsoft\\+Windows\ Defender\\+PUAProtection</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902224" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Tamper Protection on Windows Defender</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Features\\+TamperProtection</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Defender\\+MsMpEng\.exe</field>
    </rule>
    <rule id="902225" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.005</id>
        </mitre>
        <description>Disable Administrative Share Creation at Startup</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+LanmanServer\\+Parameters\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AutoShareWks|\\+AutoShareServer)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902226" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential AutoLogger Sessions Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+WMI\\+Autologger\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+EventLog\-|\\+Defender</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enable|\\+Start)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+wevtutil\.exe</field>
    </rule>
    <rule id="902227" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Disable Microsoft Defender Firewall via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+SharedAccess\\+Parameters\\+FirewallPolicy\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EnableFirewall)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902228" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Internal Tools or Feature in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+StartMenuLogOff|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableChangePassword|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableLockWorkstation|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableRegistryTools|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableTaskmgr|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+NoDispBackgroundPage|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+NoDispCPL|SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+Explorer\\+DisableNotificationCenter|SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+System\\+DisableCMD)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902229" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Internal Tools or Feature in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+ConsentPromptBehaviorAdmin|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+shutdownwithoutlogon|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+PushNotifications\\+ToastEnabled|SYSTEM\\+CurrentControlSet\\+Control\\+Storage\\+Write\ Protection|SYSTEM\\+CurrentControlSet\\+Control\\+StorageDevicePolicies\\+WriteProtect)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902230" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Disable Macro Runtime Scan Scope</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Common\\+Security</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+MacroRuntimeScanScope)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902231" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Privacy Settings Experience in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+OOBE\\+DisablePrivacyExperience)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902232" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Windows Security Center Notifications</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Windows\\+CurrentVersion\\+ImmersiveShell\\+UseActionCenterExperience)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902233" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Registry Disable System Restore</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Policies\\+Microsoft\\+Windows\ NT\\+SystemRestore|\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+SystemRestore</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:DisableConfig|DisableSR)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902234" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Disable UAC Using Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+EnableLUA</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902235" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Service Disabled - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Services\\+WinDefend\\+Start)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000004$</field>
    </rule>
    <rule id="902236" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Disable Windows Firewall by Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Microsoft\\+WindowsFirewall\\+StandardProfile\\+EnableFirewall|\\+SOFTWARE\\+Policies\\+Microsoft\\+WindowsFirewall\\+DomainProfile\\+EnableFirewall)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902237" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Disable Windows Event Logging Via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+wevtutil\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+winsxs\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+svchost\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-FileInfoMinifilter</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-ASN1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Kernel\-AppCompat\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Runtime\\+Error\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-CAPI2/Operational\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+servicing\\+TrustedInstaller\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Compat\-Appraiser</field>
    </rule>
    <rule id="902238" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Disable Windows Event Logging Via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="902239" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Add DisallowRun Execution to Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+DisallowRun)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902240" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via Disk Cleanup Handler - Autorun</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+VolumeCaches\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Autorun</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902241" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via Disk Cleanup Handler - Autorun</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+VolumeCaches\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CleanupString|\\+PreCleanupString</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)cmd|powershell|rundll32|mshta|cscript|wscript|wsl|\\+Users\\+Public\\+|\\+Windows\\+TEMP\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+</field>
    </rule>
    <rule id="902242" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DNS-over-HTTPS Enabled by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Microsoft\\+Edge\\+BuiltInDnsClientEnabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902243" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DNS-over-HTTPS Enabled by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Google\\+Chrome\\+DnsOverHttpsMode)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)secure</field>
    </rule>
    <rule id="902244" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DNS-over-HTTPS Enabled by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Mozilla\\+Firefox\\+DNSOverHTTPS\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902245" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New DNS ServerLevelPluginDll Installed</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+services\\+DNS\\+Parameters\\+ServerLevelPluginDll)$</field>
    </rule>
    <rule id="902246" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Sysmon Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+\.NETFramework\\+ETWEnabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902247" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Sysmon Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+COMPlus_ETWEnabled|\\+COMPlus_ETWFlags)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)0|DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902248" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.012</id>
        </mitre>
        <description>Enabling COR Profiler Environment Variables</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+COR_ENABLE_PROFILING|\\+COR_PROFILER|\\+CORECLR_ENABLE_PROFILING)$</field>
    </rule>
    <rule id="902249" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.012</id>
        </mitre>
        <description>Enabling COR Profiler Environment Variables</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CORECLR_PROFILER_PATH</field>
    </rule>
    <rule id="902250" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Scripted Diagnostics Turn Off Check Enabled - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Policies\\+Microsoft\\+Windows\\+ScriptedDiagnostics\\+TurnOffCheck)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902251" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Potential EventLog File Location Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+Services\\+EventLog\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+File)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+System32\\+Winevt\\+Logs\\+</field>
    </rule>
    <rule id="902252" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Change User Account Associated with the FAX Service</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+System\\+CurrentControlSet\\+Services\\+Fax\\+ObjectName</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)NetworkService</field>
    </rule>
    <rule id="902253" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Change the Fax Dll</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Fax\\+Device\ Providers\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ImageName</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%systemroot%\\+system32\\+fxst30\.dll</field>
    </rule>
    <rule id="902254" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>New File Association Using Exefile</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+\.</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)exefile</field>
    </rule>
    <rule id="902255" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Add Debugger Entry To Hangs Key For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+Hangs\\+Debugger</field>
    </rule>
    <rule id="902256" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via Hhctrl.ocx</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+\{52A2AAAE\-085D\-4187\-97EA\-8C30DB990436\}\\+InprocServer32\\+$Default$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+hhctrl\.ocx</field>
    </rule>
    <rule id="902257" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Registry Modification to Hidden File Extension</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+HideFileExt)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902258" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Registry Modification to Hidden File Extension</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+Hidden)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000002$</field>
    </rule>
    <rule id="902259" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Displaying Hidden Files Feature Disabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+ShowSuperHidden|\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+Hidden)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902260" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Hide Function from User</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideClock|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCAHealth|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCANetwork|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCAPower|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCAVolume)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902261" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Hide Function from User</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+ShowInfoTip|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+ShowCompColor)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902262" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Hide Schedule Task Via Index Value Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Index</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902263" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings\\+ZoneMap\\+ProtocolDefaults</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+http|\\+https)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902264" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Uncommon Extension In Keyboard Layout IME File Registry Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Keyboard\ Layouts\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Ime\ File</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.ime)$</field>
    </rule>
    <rule id="902265" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Path In Keyboard Layout IME File Registry Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Keyboard\ Layouts\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Ime\ File</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+AppData\\+Roaming\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="902266" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Path In Keyboard Layout IME File Registry Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Keyboard\ Layouts\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Ime\ File</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="902267" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>New Root or CA or AuthRoot Certificate to Store</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+SystemCertificates\\+Root\\+Certificates\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+SystemCertificates\\+Root\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+EnterpriseCertificates\\+Root\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+SystemCertificates\\+CA\\+Certificates\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+SystemCertificates\\+CA\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+EnterpriseCertificates\\+CA\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+SystemCertificates\\+AuthRoot\\+Certificates\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+SystemCertificates\\+AuthRoot\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+EnterpriseCertificates\\+AuthRoot\\+Certificates\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Blob)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Binary\ Data</field>
    </rule>
    <rule id="902268" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Internet Explorer DisableFirstRunCustomize Enabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Internet\ Explorer\\+Main\\+DisableFirstRunCustomize)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$|DWORD\ $0x00000002$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+ie4uinit\.exe</field>
    </rule>
    <rule id="902269" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potential Ransomware Activity Using LegalNotice Message</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+LegalNoticeCaption|\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+LegalNoticeText</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)encrypted|Unlock\-Password|paying</field>
    </rule>
    <rule id="902270" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Lolbas OneDriveStandaloneUpdater.exe Proxy Download</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+OneDrive\\+UpdateOfficeConfig\\+UpdateRingSettingURLFromOC</field>
    </rule>
    <rule id="902271" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Lsass Full Dump Request Via DumpType Registry Settings</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+LocalDumps\\+DumpType|\\+SOFTWARE\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+LocalDumps\\+lsass\.exe\\+DumpType</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000002$</field>
    </rule>
    <rule id="902272" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RestrictedAdminMode Registry Value Tampering</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:System\\+CurrentControlSet\\+Control\\+Lsa\\+DisableRestrictedAdmin)$</field>
    </rule>
    <rule id="902273" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1112</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Blue Mockingbird - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+CurrentControlSet\\+Services\\+wercplsupport\\+Parameters\\+ServiceDll)$</field>
    </rule>
    <rule id="902274" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.007</id>
        </mitre>
        <description>Potential Persistence Via Netsh Helper DLL - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+NetSh</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="902275" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.007</id>
        </mitre>
        <description>New Netsh Helper DLL Registered From A Suspicious Location</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+NetSh</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="902276" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.007</id>
        </mitre>
        <description>New Netsh Helper DLL Registered From A Suspicious Location</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+NetSh</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="902277" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>NET NGenAssemblyUsageLog Registry Key Tamper</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+\.NETFramework\\+NGenAssemblyUsageLog)$</field>
    </rule>
    <rule id="902278" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>New Application in AppCompat</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+AppCompatFlags\\+Compatibility\ Assistant\\+Store\\+</field>
    </rule>
    <rule id="902279" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Credential Dumping Attempt Using New NetworkProvider - REG</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+NetworkProvider</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+WebClient\\+NetworkProvider</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+LanmanWorkstation\\+NetworkProvider</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+RDPNP\\+NetworkProvider</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+poqexec\.exe</field>
    </rule>
    <rule id="902280" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>New ODBC Driver Registered</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+ODBC\\+ODBCINST\.INI\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Driver)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SQL\ Server\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%WINDIR%\\+System32\\+SQLSRV32\.dll</field>
    </rule>
    <rule id="902281" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>New ODBC Driver Registered</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+ODBC\\+ODBCINST\.INI\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Driver)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\ Access\ )</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Progra)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+ACEODBC\.DLL)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\ Excel\ Driver</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Progra)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+ACEODBC\.DLL)$</field>
    </rule>
    <rule id="902282" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potentially Suspicious ODBC Driver Registered</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+ODBC\\+ODBCINST\.INI\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Driver|\\+Setup)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+ProgramData\\+|:\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Registration\\+CRMLog|:\\+Windows\\+System32\\+com\\+dmp\\+|:\\+Windows\\+System32\\+FxsTmp\\+|:\\+Windows\\+System32\\+Microsoft\\+Crypto\\+RSA\\+MachineKeys\\+|:\\+Windows\\+System32\\+spool\\+drivers\\+color\\+|:\\+Windows\\+System32\\+spool\\+PRINTERS\\+|:\\+Windows\\+System32\\+spool\\+SERVERS\\+|:\\+Windows\\+System32\\+Tasks_Migrated\\+|:\\+Windows\\+System32\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|:\\+Windows\\+SysWOW64\\+com\\+dmp\\+|:\\+Windows\\+SysWOW64\\+FxsTmp\\+|:\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+PLA\\+System\\+|:\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|:\\+Windows\\+Tracing\\+|\\+AppData\\+Local\\+Temp\\+|\\+AppData\\+Roaming\\+</field>
    </rule>
    <rule id="902283" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Trust Access Disable For VBApplications</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Security\\+AccessVBOM)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902284" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Office Protected View Disabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Security\\+ProtectedView\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DisableAttachementsInPV|\\+DisableInternetFilesInPV|\\+DisableIntranetCheck|\\+DisableUnsafeLocationsInPV)$</field>
    </rule>
    <rule id="902285" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Office Protected View Disabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Security\\+ProtectedView\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+enabledatabasefileprotectedview|\\+enableforeigntextfileprotectedview)$</field>
    </rule>
    <rule id="902286" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.002</id>
        </mitre>
        <description>Enable Microsoft Dynamic Data Exchange</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Word\\+Security\\+AllowDDE)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$|DWORD\ $0x00000002$</field>
    </rule>
    <rule id="902287" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.002</id>
        </mitre>
        <description>Enable Microsoft Dynamic Data Exchange</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Excel\\+Security\\+DisableDDEServerLaunch|\\+Excel\\+Security\\+DisableDDEServerLookup)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902288" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Outlook\\+LoadMacroProviderOnBoot)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)0x00000001</field>
    </rule>
    <rule id="902289" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Outlook Macro Execution Without Warning Setting Enabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Outlook\\+Security\\+Level)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)0x00000001</field>
    </rule>
    <rule id="902290" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Outlook EnableUnsafeClientMailRules Setting Enabled - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Outlook\\+Security\\+EnableUnsafeClientMailRules)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902291" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Outlook Security Settings Updated - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Security\\+</field>
    </rule>
    <rule id="902292" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Uncommon Microsoft Office Trusted Location Added</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Security\\+Trusted\ Locations\\+Location</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Path)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+</field>
    </rule>
    <rule id="902293" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Uncommon Microsoft Office Trusted Location Added</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Security\\+Trusted\ Locations\\+Location</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Path)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%APPDATA%\\+Microsoft\\+Templates</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%APPDATA%%\\+Microsoft\\+Templates</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%APPDATA%\\+Microsoft\\+Word\\+Startup</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%APPDATA%%\\+Microsoft\\+Word\\+Startup</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+Templates\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\ $x86$\\+Templates</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+root\\+Templates\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+Templates\\+</field>
    </rule>
    <rule id="902294" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Office Macros Warning Disabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Security\\+VBAWarnings)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902295" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.005</id>
        </mitre>
        <description>MaxMpxCt Registry Value Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Services\\+LanmanServer\\+Parameters\\+MaxMpxCt)$</field>
    </rule>
    <rule id="902296" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Using DebugPath</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+ActivatableClasses\\+Package\\+Microsoft\.</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DebugPath)$</field>
    </rule>
    <rule id="902297" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Using DebugPath</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+PackagedAppXDebug\\+Microsoft\.</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+$Default$)$</field>
    </rule>
    <rule id="902298" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Persistence Via AppCompat RegisterAppRestart Layer</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Layers\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)REGISTERAPPRESTART</field>
    </rule>
    <rule id="902299" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.012</id>
        </mitre>
        <description>Potential Persistence Via App Paths Default Property</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+App\ Paths</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:$Default$|Path)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Users\\+Public|\\+AppData\\+Local\\+Temp\\+|\\+Windows\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|%temp%|%tmp%|iex|Invoke\-|rundll32|regsvr32|mshta|cscript|wscript|\.bat|\.hta|\.dll|\.ps1</field>
    </rule>
    <rule id="902300" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via AutodialDLL</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+WinSock2\\+Parameters\\+AutodialDLL</field>
    </rule>
    <rule id="902301" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via CHM Helper DLL</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+HtmlHelp\ Author\\+Location|\\+Software\\+WOW6432Node\\+Microsoft\\+HtmlHelp\ Author\\+Location</field>
    </rule>
    <rule id="902302" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential PSFactoryBuffer COM Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+CLSID\\+\{c90250f3\-4d7d\-4991\-9b69\-a5c5bc1c2ae6\}\\+InProcServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%windir%\\+System32\\+ActXPrxy\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+ActXPrxy\.dll</field>
    </rule>
    <rule id="902303" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Via COM Hijacking From Suspicious Locations</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+InprocServer32\\+$Default$|\\+LocalServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+|\\+System32\\+spool\\+drivers\\+color\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|%appdata%|%temp%|%tmp%</field>
    </rule>
    <rule id="902304" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Custom Protocol Handler</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKCR\\+)</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:URL:)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:URL:ms\-)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="902305" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Event Viewer Events.asp</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionProgram|\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionURL</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionProgram)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%SystemRoot%%\\+PCHealth\\+HelpCtr\\+Binaries\\+HelpCtr\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionProgramCommandLineParameters)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\-url\ hcp://services/centers/support.topic=%%s</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)http://go\.microsoft\.com/fwlink/events\.asp</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
    </rule>
    <rule id="902306" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1546.012</id>
            <id>car.2013-01-002</id>
        </mitre>
        <description>Potential Persistence Via GlobalFlags</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Image\ File\ Execution\ Options\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+GlobalFlag</field>
    </rule>
    <rule id="902307" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1546.012</id>
            <id>car.2013-01-002</id>
        </mitre>
        <description>Potential Persistence Via GlobalFlags</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SilentProcessExit\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ReportingMode|\\+MonitorProcess</field>
    </rule>
    <rule id="902308" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Modification of IE Registry Settings</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:DWORD)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)Cookie:</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)Visited:</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Cache</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ZoneMap</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+WpadDecision</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)Binary\ Data</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Accepted\ Documents\\+</field>
    </rule>
    <rule id="902309" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Register New IFiltre For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Classes\\+\.</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PersistentHandler</field>
    </rule>
    <rule id="902310" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Register New IFiltre For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Classes\\+CLSID</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PersistentAddinsRegistered\\+\{89BCB740\-6119\-101A\-BCB7\-00DD010655AF\}</field>
    </rule>
    <rule id="902311" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Register New IFiltre For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{4F46F75F\-199F\-4C63\-8B7D\-86D48FE7970C\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{4887767F\-7ADC\-4983\-B576\-88FB643D6F79\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{D3B41FA1\-01E3\-49AF\-AA25\-1D0D824275AE\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{72773E1A\-B711\-4d8d\-81FA\-B9A43B0650DD\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{098f2470\-bae0\-11cd\-b579\-08002b30bfeb\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{1AA9BF05\-9A97\-48c1\-BA28\-D9DCE795E93C\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{2e2294a9\-50d7\-4fe7\-a09f\-e6492e185884\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{34CEAC8D\-CBC0\-4f77\-B7B1\-8A60CB6DA0F7\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{3B224B11\-9363\-407e\-850F\-C9E1FFACD8FB\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{3DDEB7A4\-8ABF\-4D82\-B9EE\-E1F4552E95BE\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{5645C8C1\-E277\-11CF\-8FDA\-00AA00A14F93\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{5645C8C4\-E277\-11CF\-8FDA\-00AA00A14F93\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{58A9EBF6\-5755\-4554\-A67E\-A2467AD1447B\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{5e941d80\-bf96\-11cd\-b579\-08002b30bfeb\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{698A4FFC\-63A3\-4E70\-8F00\-376AD29363FB\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{7E9D8D44\-6926\-426F\-AA2B\-217A819A5CCE\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{8CD34779\-9F10\-4f9b\-ADFB\-B3FAEABDAB5A\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{9694E38A\-E081\-46ac\-99A0\-8743C909ACB6\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{98de59a0\-d175\-11cd\-a7bd\-00006b827d94\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{AA10385A\-F5AA\-4EFF\-B3DF\-71B701E25E18\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{B4132098\-7A03\-423D\-9463\-163CB07C151F\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{d044309b\-5da6\-4633\-b085\-4ed02522e5a5\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{D169C14A\-5148\-4322\-92C8\-754FC9D018D8\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{DD75716E\-B42E\-4978\-BB60\-1497B92E30C4\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{E2F83EED\-62DE\-4A9F\-9CD0\-A1D40DCD13B6\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{E772CEB3\-E203\-4828\-ADF1\-765713D981B8\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{eec97550\-47a9\-11cf\-b952\-00aa0051fe20\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{FB10BD80\-A331\-4e9e\-9EB7\-00279903AD99\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
    </rule>
    <rule id="902312" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via LSA Extensions</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+Control\\+LsaExtensionConfig\\+LsaSrv\\+Extensions</field>
    </rule>
    <rule id="902313" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Mpnotify</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+mpnotify</field>
    </rule>
    <rule id="902314" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via MyComputer Registry Keys</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+MyComputer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:$Default$)$</field>
    </rule>
    <rule id="902315" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1137.006</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Visual Studio Tools for Office</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Office\\+Outlook\\+Addins\\+|\\+Software\\+Microsoft\\+Office\\+Word\\+Addins\\+|\\+Software\\+Microsoft\\+Office\\+Excel\\+Addins\\+|\\+Software\\+Microsoft\\+Office\\+Powerpoint\\+Addins\\+|\\+Software\\+Microsoft\\+VSTO\\+Security\\+Inclusion\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+visio\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+AVG\\+Antivirus\\+RegSvr\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Office\\+Outlook\\+Addins\\+Antivirus\.AsOutExt\\+</field>
    </rule>
    <rule id="902316" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Outlook Today Pages</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Today\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Stamp)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902317" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Outlook Today Pages</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Today\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:UserDefinedUrl)$</field>
    </rule>
    <rule id="902318" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Outlook Today Pages</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Today\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
    </rule>
    <rule id="902319" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential WerFault ReflectDebugger Registry Value Abuse</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+Hangs\\+ReflectDebugger)$</field>
    </rule>
    <rule id="902320" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Via Scrobj.dll COM Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:InprocServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+scrobj\.dll</field>
    </rule>
    <rule id="902321" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Via COM Search Order Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+InprocServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%systemroot%%\\+system32\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%systemroot%%\\+SysWow64\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileCoAuthLib64\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileSyncShell64\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileSyncApi64\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+system32\\+SecurityHealthService\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+TeamsMeetingAddin\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Microsoft\.Teams\.AddinLoader\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Dropbox\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+DropboxExt64\..+\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:TmopIEPlg\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+system32\\+wuauclt\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileRepository\\+nvmdi\.inf</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MicrosoftEdgeUpdateComRegisterShell64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+SYSTEM32\\+dxdiag\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+pyshellext\.amd64\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+pyshellext\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+dnssdX\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+dnssdX\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+spool\\+drivers\\+x64\\+3\\+PrintConfig\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+system32\\+GamingServicesProxy\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+Autopilot\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+SecurityHealthService\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+SecurityHealth</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+InProcServer32\\+$Default$)$</field>
    </rule>
    <rule id="902322" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Persistence Via Shim Database Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+InstalledSDB\\+|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Custom\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)</field>
    </rule>
    <rule id="902323" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Suspicious Shim Database Patching Activity</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Custom\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+csrss\.exe|\\+dllhost\.exe|\\+explorer\.exe|\\+RuntimeBroker\.exe|\\+services\.exe|\\+sihost\.exe|\\+svchost\.exe|\\+taskhostw\.exe|\\+winlogon\.exe|\\+WmiPrvSe\.exe)$</field>
    </rule>
    <rule id="902324" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Persistence Via Shim Database In Uncommon Location</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+InstalledSDB\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+DatabasePath</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Windows\\+AppPatch\\+Custom</field>
    </rule>
    <rule id="902325" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via TypedPaths</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+TypedPaths\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+explorer\.exe</field>
    </rule>
    <rule id="902326" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Excel Add-in - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Excel\\+Options)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:/R\ )</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.xll)$</field>
    </rule>
    <rule id="902327" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Associations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Associations\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DefaultFileTypeRisk)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00006152$</field>
    </rule>
    <rule id="902328" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Associations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Associations\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+LowRiskFileTypes)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\.zip;|\.rar;|\.exe;|\.bat;|\.com;|\.cmd;|\.reg;|\.msi;|\.htm;|\.html;</field>
    </rule>
    <rule id="902329" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Attachments Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Attachments\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+HideZoneInfoOnProperties)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902330" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Attachments Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Attachments\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SaveZoneInformation)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000002$</field>
    </rule>
    <rule id="902331" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Attachments Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Attachments\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ScanWithAntiVirus)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902332" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PowerShell as a Service in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ImagePath)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)powershell|pwsh</field>
    </rule>
    <rule id="902333" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>PowerShell Script Execution Policy Enabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Policies\\+Microsoft\\+Windows\\+PowerShell\\+EnableScripts)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902334" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential PowerShell Execution Policy Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ShellIds\\+Microsoft\.PowerShell\\+ExecutionPolicy|\\+Policies\\+Microsoft\\+Windows\\+PowerShell\\+ExecutionPolicy)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Bypass|Unrestricted</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="902335" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Suspicious Powershell In Registry Run Keys</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:powershell|pwsh\ |FromBase64String|\.DownloadFile\(|\.DownloadString\(|\ \-w\ hidden\ |\ \-w\ 1\ |\-windowstyle\ hidden|\-window\ hidden|\ \-nop\ |\ \-encodedcommand\ |\-ExecutionPolicy\ Bypass|Invoke\-Expression|IEX\ \(|Invoke\-Command|ICM\ \-|Invoke\-WebRequest|IWR\ |\ \-noni\ |\ \-noninteractive\ )</field>
    </rule>
    <rule id="902336" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>PowerShell Logging Disabled Via Registry Key Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+PowerShell\\+|\\+Microsoft\\+PowerShellCore\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ModuleLogging\\+EnableModuleLogging|\\+ScriptBlockLogging\\+EnableScriptBlockLogging|\\+ScriptBlockLogging\\+EnableScriptBlockInvocationLogging|\\+Transcription\\+EnableTranscripting|\\+Transcription\\+EnableInvocationHeader|\\+EnableScripts)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902337" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Provisioning\\+Commands\\+</field>
    </rule>
    <rule id="902338" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Usage of Renamed Sysinternals Tools - RegistrySet</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PsExec|\\+ProcDump|\\+Handle|\\+LiveKd|\\+Process\ Explorer|\\+PsLoglist|\\+PsPasswd|\\+Active\ Directory\ Explorer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer64\.exe)$</field>
    </rule>
    <rule id="902339" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Usage of Renamed Sysinternals Tools - RegistrySet</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PsExec|\\+ProcDump|\\+Handle|\\+LiveKd|\\+Process\ Explorer|\\+PsLoglist|\\+PsPasswd|\\+Active\ Directory\ Explorer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)None</field>
    </rule>
    <rule id="902340" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled For rpcrt4.dll</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+Rpc\\+ExtErrorInformation)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$|DWORD\ $0x00000002$</field>
    </rule>
    <rule id="902341" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>ScreenSaver Registry Key Set</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\ Panel\\+Desktop\\+SCRNSAVE\.EXE</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="902342" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential SentinelOne Shell Context Menu Scan Command Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+shell\\+SentinelOneScan\\+command\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SentinelOne\\+Sentinel\ Agent)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SentinelOne\\+Sentinel\ Agent)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+SentinelScanFromContextMenu\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+SentinelOne\\+)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\ $x86$\\+SentinelOne\\+)$</field>
    </rule>
    <rule id="902343" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>ServiceDll Hijack</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Parameters\\+ServiceDll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+spool\\+drivers\\+x64\\+3\\+PrintConfig\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+lsass\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Services\\+NTDS\\+Parameters\\+ServiceDll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%systemroot%%\\+system32\\+ntdsa\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+poqexec\.exe</field>
    </rule>
    <rule id="902344" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>ServiceDll Hijack</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Parameters\\+ServiceDll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+STAgent\.dll</field>
    </rule>
    <rule id="902345" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled For SCM</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Tracing\\+SCM\\+Regular\\+TracingDisabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902346" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Explorer Policy Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoLogOff|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoDesktop|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoRun|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoFind|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoControlPanel|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoFileMenu|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoClose|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoSetTaskbar|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoPropertiesMyDocuments|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoTrayContextMenu)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902347" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.003</id>
        </mitre>
        <description>Persistence Via New SIP Provider</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Cryptography\\+Providers\\+|\\+SOFTWARE\\+Microsoft\\+Cryptography\\+OID\\+EncodingType|\\+SOFTWARE\\+WOW6432Node\\+Microsoft\\+Cryptography\\+Providers\\+|\\+SOFTWARE\\+WOW6432Node\\+Microsoft\\+Cryptography\\+OID\\+EncodingType</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Dll|\\+\$DLL</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)WINTRUST\.DLL</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)mso\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+poqexec\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CryptSIPDll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+PsfSip\.dll</field>
    </rule>
    <rule id="902348" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper With Sophos AV Registry Keys</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Sophos\ Endpoint\ Defense\\+TamperProtection\\+Config\\+SAVEnabled|\\+Sophos\ Endpoint\ Defense\\+TamperProtection\\+Config\\+SEDEnabled|\\+Sophos\\+SAVService\\+TamperProtection\\+Enabled</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902349" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.002</id>
        </mitre>
        <description>Hiding User Account Via SpecialAccounts Registry Key</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+SpecialAccounts\\+UserList</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902350" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Activate Suppression of Windows Security Center Notifications</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+UX\ Configuration\\+Notification_Suppress)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902351" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Suspicious Keyboard Layout Load</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Keyboard\ Layout\\+Preload\\+|\\+Keyboard\ Layout\\+Substitutes\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)429|50429|0000042a</field>
    </rule>
    <rule id="902352" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential PendingFileRenameOperations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Session\ Manager\\+PendingFileRenameOperations</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+</field>
    </rule>
    <rule id="902353" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential PendingFileRenameOperations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)SetValue</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Session\ Manager\\+PendingFileRenameOperations</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe|\\+regedit\.exe)$</field>
    </rule>
    <rule id="902354" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574</id>
            <id>cve.2021.1675</id>
        </mitre>
        <description>Suspicious Printer Driver Empty Manufacturer</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments\\+Windows\ x64\\+Drivers</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Manufacturer</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)$Empty$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CutePDF\ Writer\ v4\.0\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+VNC\ Printer\ $PS$\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+VNC\ Printer\ $UD$\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Version\-3\\+PDF24\\+</field>
    </rule>
    <rule id="902355" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Registry Persistence via Explorer Run Key</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+Run)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+\$Recycle\.bin\\+|:\\+ProgramData\\+|:\\+Temp\\+|:\\+Users\\+Default\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
    </rule>
    <rule id="902356" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>New RUN Key Pointing to Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+|\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+\$Recycle\.bin\\+|:\\+Temp\\+|:\\+Users\\+Default\\+|:\\+Users\\+Desktop\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|%temp%\\+|%tmp%\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:%Public%\\+|wscript|cscript)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SoftwareDistribution\\+Download\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)rundll32\.exe\ C:\\+WINDOWS\\+system32\\+advpack\.dll,DelNodeRunDLL32</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="902357" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1562.001</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Service Installed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+System\\+CurrentControlSet\\+Services\\+NalDrv\\+ImagePath|HKLM\\+System\\+CurrentControlSet\\+Services\\+PROCEXP152\\+ImagePath</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+WINDOWS\\+system32\\+Drivers\\+PROCEXP152\.SYS</field>
    </rule>
    <rule id="902358" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Modify User Shell Folders Startup Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+User\ Shell\ Folders</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Startup)$</field>
    </rule>
    <rule id="902359" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Enable LM Hash Storage</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:System\\+CurrentControlSet\\+Control\\+Lsa\\+NoLMHash)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902360" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Scheduled TaskCache Change by Uncommon Program</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Microsoft\\+Windows\\+UpdateOrchestrator</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Microsoft\\+Windows\\+SoftwareProtectionPlatform\\+SvcRestartTask\\+Index</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Microsoft\\+Windows\\+Flighting\\+OneSettings\\+RefreshCache\\+Index</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+WINDOWS\\+system32\\+svchost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tasks\\+\{B66B135D\-DA06\-4FC4\-95F8\-7458E1D10129\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+Microsoft\\+Windows\\+\.NET\ Framework\\+\.NET\ Framework\ NGEN</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\ Office\\+root\\+Integration\\+Integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+Integration\\+Integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+msiexec\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Dropbox\\+Update\\+DropboxUpdate\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Dropbox\\+Update\\+DropboxUpdate\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+Microsoft\\+Windows\\+PLA\\+Server\ Manager\ Performance\ Monitor\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)System</field>
    </rule>
    <rule id="902361" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Potential Registry Persistence Attempt Via Windows Telemetry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+TelemetryController\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Command)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\.bat|\.bin|\.cmd|\.dat|\.dll|\.exe|\.hta|\.jar|\.js|\.msi|\.ps|\.sh|\.vb</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+system32\\+CompatTelRunner\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+system32\\+DeviceCensus\.exe</field>
    </rule>
    <rule id="902362" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed to Zero</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+fDenyTSConnections|\\+fSingleSessionPerUser|\\+UserAuthentication)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902363" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Terminal\ Server\\+|\\+Windows\ NT\\+Terminal\ Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Shadow)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$|DWORD\ $0x00000002$|DWORD\ $0x00000003$|DWORD\ $0x00000004$</field>
    </rule>
    <rule id="902364" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Terminal\ Server\\+|\\+Windows\ NT\\+Terminal\ Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DisableRemoteDesktopAntiAlias|\\+DisableSecuritySettings|\\+fAllowUnsolicited|\\+fAllowUnsolicitedFullControl)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902365" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Terminal\ Server\\+InitialProgram|\\+Control\\+Terminal\ Server\\+WinStations\\+RDP\-Tcp\\+InitialProgram|\\+services\\+TermService\\+Parameters\\+ServiceDll|\\+Windows\ NT\\+Terminal\ Services\\+InitialProgram</field>
    </rule>
    <rule id="902366" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1547.003</id>
        </mitre>
        <description>New TimeProviders Registered With Uncommon DLL Name</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+W32Time\\+TimeProviders</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DllName)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%SystemRoot%\\+System32\\+vmictimeprovider\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%systemroot%\\+system32\\+w32time\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SYSTEM32\\+w32time\.DLL</field>
    </rule>
    <rule id="902367" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Old TLS1.0/TLS1.1 Protocol Version Enabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+SecurityProviders\\+SCHANNEL\\+Protocols\\+TLS\ 1\.0\\+|\\+Control\\+SecurityProviders\\+SCHANNEL\\+Protocols\\+TLS\ 1\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902368" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>COM Hijacking via TreatAs</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:TreatAs\\+$Default$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+svchost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+msiexec\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+msiexec\.exe</field>
    </rule>
    <rule id="902369" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Signing Bypass Via Windows Developer Features - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+AppModelUnlock|\\+Policies\\+Microsoft\\+Windows\\+Appx\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AllowAllTrustedApps|\\+AllowDevelopmentWithoutDevLicense)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902370" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>UAC Bypass via Event Viewer</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+mscfile\\+shell\\+open\\+command)$</field>
    </rule>
    <rule id="902371" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>UAC Bypass via Sdclt</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Classes\\+exefile\\+shell\\+runas\\+command\\+isolatedCommand)$</field>
    </rule>
    <rule id="902372" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>UAC Bypass via Sdclt</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Classes\\+Folder\\+shell\\+open\\+command\\+SymbolicLinkValue)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)-1[0-9]{3}\\+Software\\+Classes\\+</field>
    </rule>
    <rule id="902373" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Abusing Winsat Path Parsing - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Root\\+InventoryApplicationFile\\+winsat\.exe\|</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+LowerCaseLongPath)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:c:\\+users\\+)</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\\+appdata\\+local\\+temp\\+system32\\+winsat\.exe)$</field>
    </rule>
    <rule id="902374" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Compatibility\ Assistant\\+Store\\+C:\\+Program\ Files\\+Windows\ Media\ Player\\+osk\.exe)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Binary\ Data</field>
    </rule>
    <rule id="902375" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>VBScript Payload Stored in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Windows\\+CurrentVersion</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)vbscript:|jscript:|mshtml,|RunHTMLApplication|Execute\(|CreateObject|window\.close</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Installer\\+UserData\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Microsoft\.NET\\+Primary\ Interop\ Assemblies\\+Microsoft\.mshtml\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)&lt;\\+Microsoft\.mshtml,fileVersion=</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)_mshtml_dll_</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)&lt;\\+Microsoft\.mshtml,culture=</field>
    </rule>
    <rule id="902376" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execution DLL of Choice Using WAB.EXE</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Software\\+Microsoft\\+WAB\\+DLLPath)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%CommonProgramFiles%\\+System\\+wab32\.dll</field>
    </rule>
    <rule id="902377" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Wdigest Enable UseLogonCredential</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:WDigest\\+UseLogonCredential)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902378" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender Functionalities Via Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DisableAntiSpyware|\\+DisableAntiVirus|\\+Real\-Time\ Protection\\+DisableBehaviorMonitoring|\\+Real\-Time\ Protection\\+DisableIntrusionPreventionSystem|\\+Real\-Time\ Protection\\+DisableIOAVProtection|\\+Real\-Time\ Protection\\+DisableOnAccessProtection|\\+Real\-Time\ Protection\\+DisableRealtimeMonitoring|\\+Real\-Time\ Protection\\+DisableScanOnRealtimeEnable|\\+Real\-Time\ Protection\\+DisableScriptScanning|\\+Reporting\\+DisableEnhancedNotifications|\\+SpyNet\\+DisableBlockAtFirstSeen)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902379" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender Functionalities Via Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+App\ and\ Browser\ protection\\+DisallowExploitProtectionOverride|\\+Features\\+TamperProtection|\\+MpEngine\\+MpEnablePus|\\+PUAProtection|\\+Signature\ Update\\+ForceUpdateFromMU|\\+SpyNet\\+SpynetReporting|\\+SpyNet\\+SubmitSamplesConsent|\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+EnableControlledFolderAccess)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902380" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Winget Admin Settings Modification</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winget\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:\\+REGISTRY\\+A\\+)</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+LocalState\\+admin_settings)$</field>
    </rule>
    <rule id="902381" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Enable Local Manifest Installation With Winget</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppInstaller\\+EnableLocalManifestFiles)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000001$</field>
    </rule>
    <rule id="902382" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Winlogon AllowMultipleTSSessions Enable</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+AllowMultipleTSSessions)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902383" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>Winlogon Notify Key Logon Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+Notify\\+logon)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="902384" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon Configuration Change</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)16</field>
    </rule>
    <rule id="902385" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Error</description>
        <options>no_full_log</options>
        <group>windows,sysmon_error,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error|Failed\ to\ connect\ to\ the\ driver\ to\ update\ configuration</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Last\ error:\ The\ media\ is\ write\ protected\.</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error\ 19</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error\ 93</field>
    </rule>
    <rule id="902386" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Modification</description>
        <options>no_full_log</options>
        <group>windows,sysmon_status,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Stopped</field>
    </rule>
    <rule id="902387" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Modification</description>
        <options>no_full_log</options>
        <group>windows,sysmon_status,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Sysmon\ config\ state\ changed</field>
    </rule>
    <rule id="902388" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Modification</description>
        <options>no_full_log</options>
        <group>windows,sysmon_status,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="yes" type="pcre2">(?i)Started</field>
    </rule>
    <rule id="902389" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_executable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon Blocked Executable</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)27</field>
    </rule>
    <rule id="902390" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_shredding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon Blocked File Shredding</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)28</field>
    </rule>
    <rule id="902391" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon File Executable Creation Detected</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)29</field>
    </rule>
    <rule id="902392" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Event Subscription</description>
        <options>no_full_log</options>
        <group>windows,wmi_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)19|20|21</field>
    </rule>
    <rule id="902393" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>Suspicious Encoded Scripts in a WMI Consumer</description>
        <options>no_full_log</options>
        <group>windows,wmi_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destination" negate="no" type="pcre2">WriteProcessMemory|This\ program\ cannot\ be\ run\ in\ DOS\ mode|This\ program\ must\ be\ run\ under\ Win32</field>
    </rule>
    <rule id="902394" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
        </mitre>
        <description>Suspicious Scripting in a WMI Consumer</description>
        <options>no_full_log</options>
        <group>windows,wmi_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)net\.webclient</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)\.downloadstring</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)net\.webclient</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)\.downloadfile</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)\ iex\(|\ \-nop\ |\ \-noprofile\ |\ \-decode\ |\ \-enc\ |WScript\.Shell|System\.Security\.Cryptography\.FromBase64Transform</field>
    </rule>
</group>

Changed text

Open file

<group name="sigma,">
    
    <rule id="900001" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:JobAdd)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:atsvc)$</field>
    </rule>
    <rule id="900002" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ITaskSchedulerService)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:SchRpcEnableTask)$</field>
    </rule>
    <rule id="900003" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ITaskSchedulerService)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:SchRpcRegisterTask)$</field>
    </rule>
    <rule id="900004" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ITaskSchedulerService)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:SchRpcRun)$</field>
    </rule>
    <rule id="900005" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IWbemServices)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:ExecMethod)$</field>
    </rule>
    <rule id="900006" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IWbemServices)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:ExecMethodAsync)$</field>
    </rule>
    <rule id="900007" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:CreateServiceA)$</field>
    </rule>
    <rule id="900008" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:CreateServiceW)$</field>
    </rule>
    <rule id="900009" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:StartServiceA)$</field>
    </rule>
    <rule id="900010" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>MITRE BZAR Indicators for Execution</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:StartServiceW)$</field>
    </rule>
    <rule id="900011" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:spoolss)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAddMonitor)$</field>
    </rule>
    <rule id="900012" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:spoolss)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAddPrintProcessor)$</field>
    </rule>
    <rule id="900013" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IRemoteWinspool)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAsyncAddMonitor)$</field>
    </rule>
    <rule id="900014" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:IRemoteWinspool)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAsyncAddPrintProcessor)$</field>
    </rule>
    <rule id="900015" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ISecLogon)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:SeclCreateProcessWithLogonW)$</field>
    </rule>
    <rule id="900016" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>MITRE BZAR Indicators for Persistence</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.endpoint" negate="no" type="pcre2">(?i)^(?:ISecLogon)$</field>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:SeclCreateProcessWithLogonExW)$</field>
    </rule>
    <rule id="900017" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1557.001</id>
            <id>attack.t1187</id>
        </mitre>
        <description>Potential PetitPotam Attack Via EFS RPC Calls</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:efs)</field>
    </rule>
    <rule id="900018" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>cve.2021.1678</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>Possible PrintNightmare Print Driver Install</description>
        <options>no_full_log</options>
        <group>zeek,dce_rpc,</group>
        <field name="data.operation" negate="no" type="pcre2">(?i)^(?:RpcAsyncInstallPrinterDriverFromPackage|RpcAsyncAddPrintProcessor|RpcAddPrintProcessor|RpcAddPrinterDriverEx|RpcAddPrinterDriver|RpcAsyncAddPrinterDriver)$</field>
    </rule>
    <rule id="900019" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>SMB Spoolss Name Piped Usage</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)(?:IPC\$)$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)^(?:spoolss)$</field>
    </rule>
    <rule id="900020" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.s0154</id>
        </mitre>
        <description>Default Cobalt Strike Certificate</description>
        <options>no_full_log</options>
        <group>zeek,x509,</group>
        <field name="data.certificate.serial" negate="no" type="pcre2">(?i)^(?:8BB00EE)$</field>
    </rule>
    <rule id="900021" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.impact</id>
            <id>attack.t1496</id>
        </mitre>
        <description>DNS Events Related To Mining Pools</description>
        <options>no_full_log</options>
        <group>dns,zeek,</group>
        <field name="data.query" negate="no" type="pcre2">(?i)(?:monerohash\.com|do\-dear\.com|xmrminerpro\.com|secumine\.net|xmrpool\.com|minexmr\.org|hashanywhere\.com|xmrget\.com|mininglottery\.eu|minergate\.com|moriaxmr\.com|multipooler\.com|moneropools\.com|xmrpool\.eu|coolmining\.club|supportxmr\.com|minexmr\.com|hashvault\.pro|xmrpool\.net|crypto\-pool\.fr|xmr\.pt|miner\.rocks|walpool\.com|herominers\.com|gntl\.co\.uk|semipool\.com|coinfoundry\.org|cryptoknight\.cc|fairhash\.org|baikalmine\.com|tubepool\.xyz|fairpool\.xyz|asiapool\.io|coinpoolit\.webhop\.me|nanopool\.org|moneropool\.com|miner\.center|prohash\.net|poolto\.be|cryptoescrow\.eu|monerominers\.net|cryptonotepool\.org|extrmepool\.org|webcoin\.me|kippo\.eu|hashinvest\.ws|monero\.farm|linux\-repository\-updates\.com|1gh\.com|dwarfpool\.com|hash\-to\-coins\.com|pool\-proxy\.com|hashfor\.cash|fairpool\.cloud|litecoinpool\.org|mineshaft\.ml|abcxyz\.stream|moneropool\.ru|cryptonotepool\.org\.uk|extremepool\.org|extremehash\.com|hashinvest\.net|unipool\.pro|crypto\-pools\.org|monero\.net|backup\-pool\.com|mooo\.com|freeyy\.me|cryptonight\.net|shscrypto\.net)$</field>
        <field name="data.answers" negate="yes" type="pcre2">(?i)^(?:127\.0\.0\.1)$</field>
        <field name="data.answers" negate="yes" type="pcre2">(?i)^(?:0\.0\.0\.0)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:true)</field>
    </rule>
    <rule id="900022" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
        </mitre>
        <description>New Kind of Network (NKN) Detection</description>
        <options>no_full_log</options>
        <group>zeek,dns,</group>
        <field name="data.query" negate="no" type="pcre2">(?i)seed</field>
        <field name="data.query" negate="no" type="pcre2">(?i)\.nkn\.org</field>
    </rule>
    <rule id="900023" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1095</id>
            <id>attack.t1571</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Suspicious DNS Z Flag Bit Set</description>
        <options>no_full_log</options>
        <group>zeek,dns,</group>
        <field name="data.z" negate="yes" type="pcre2">(?i)^(?:0)$</field>
        <field name="data.query" negate="no" type="pcre2">(?i)\.</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.arpa)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.local)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.ultradns\.net)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.twtrdns\.net)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuredns\-prd\.info)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azure\-dns\.com)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuredns\-ff\.info)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuredns\-ff\.org)$</field>
        <field name="data.query" negate="yes" type="pcre2">(?i)(?:\.azuregov\-dns\.org)$</field>
        <field name="data.qtype_name" negate="yes" type="pcre2">(?i)^(?:ns)$</field>
        <field name="data.qtype_name" negate="yes" type="pcre2">(?i)^(?:mx)$</field>
        <field name="data.answers" negate="yes" type="pcre2">(?i)(?:\\+x00)$</field>
        <field name="data.dstport" negate="yes" type="pcre2">(?i)^(?:137)$</field>
        <field name="data.dstport" negate="yes" type="pcre2">(?i)^(?:138)$</field>
        <field name="data.dstport" negate="yes" type="pcre2">(?i)^(?:139)$</field>
    </rule>
    <rule id="900024" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>DNS TOR Proxies</description>
        <options>no_full_log</options>
        <group>dns,zeek,</group>
        <field name="data.query" negate="no" type="pcre2">(?i)^(?:tor2web\.org|tor2web\.com|torlink\.co|onion\.to|onion\.ink|onion\.cab|onion\.nu|onion\.link|onion\.it|onion\.city|onion\.direct|onion\.top|onion\.casa|onion\.plus|onion\.rip|onion\.dog|tor2web\.fi|tor2web\.blutmagie\.de|onion\.sh|onion\.lu|onion\.pet|t2w\.pw|tor2web\.ae\.org|tor2web\.io|tor2web\.xyz|onion\.lt|s1\.tor\-gateways\.de|s2\.tor\-gateways\.de|s3\.tor\-gateways\.de|s4\.tor\-gateways\.de|s5\.tor\-gateways\.de|hiddenservice\.net)$</field>
    </rule>
    <rule id="900025" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Executable from Webdav</description>
        <options>no_full_log</options>
        <group>zeek,http,</group>
        <field name="data.c-useragent" negate="no" type="pcre2">(?i)WebDAV</field>
        <field name="data.c-uri" negate="no" type="pcre2">(?i)webdav</field>
        <field name="data.resp_mime_types" negate="no" type="pcre2">(?i)dosexec</field>
        <field name="data.c-uri" negate="no" type="pcre2">(?i)(?:\.exe)$</field>
    </rule>
    <rule id="900026" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.initial_access</id>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1068</id>
            <id>attack.t1190</id>
            <id>attack.t1203</id>
            <id>attack.t1021.006</id>
            <id>attack.t1210</id>
        </mitre>
        <description>OMIGOD HTTP No Authentication RCE</description>
        <options>no_full_log</options>
        <group>zeek,http,</group>
        <field name="data.status_code" negate="no" type="pcre2">(?i)^(?:200)$</field>
        <field name="data.uri" negate="no" type="pcre2">(?i)^(?:/wsman)$</field>
        <field name="data.method" negate="no" type="pcre2">(?i)^(?:POST)$</field>
        <field name="data.client_header_names" negate="yes" type="pcre2">(?i)AUTHORIZATION</field>
        <field name="data.request_body_len" negate="yes" type="pcre2">(?i)^(?:0)$</field>
    </rule>
    <rule id="900027" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>WebDav Put Request</description>
        <options>no_full_log</options>
        <group>zeek,http,</group>
        <field name="full_log" negate="no" type="pcre2">(?i)WebDAV</field>
        <field name="data.method" negate="no" type="pcre2">(?i)^(?:PUT)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
    </rule>
    <rule id="900028" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>Publicly Accessible RDP Service</description>
        <options>no_full_log</options>
        <group>zeek,rdp,</group>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:2620:83:8000::/48)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
    </rule>
    <rule id="900029" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.persistence</id>
            <id>car.2013-05-004</id>
            <id>car.2015-04-001</id>
            <id>attack.t1053.002</id>
        </mitre>
        <description>Remote Task Creation via ATSVC Named Pipe - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)^(?:atsvc)$</field>
    </rule>
    <rule id="900030" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Possible Impacket SecretDump Remote Activity - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+</field>
        <field name="data.path" negate="no" type="pcre2">(?i)ADMIN\$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)SYSTEM32\\+</field>
        <field name="data.name" negate="no" type="pcre2">(?i)(?:\.tmp)$</field>
    </rule>
    <rule id="900031" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>First Time Seen Remote Named Pipe - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:samr)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:lsarpc)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:winreg)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:netlogon)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:srvsvc)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:protected_storage)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:wkssvc)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:browser)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:netdfs)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:svcctl)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:spoolss)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:ntsvcs)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:LSM_API_service)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:HydraLsPipe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:TermSrv_API_service)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:MsFteWds)</field>
    </rule>
    <rule id="900032" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Suspicious PsExec Execution - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+</field>
        <field name="data.path" negate="no" type="pcre2">(?i)\\+IPC\$</field>
        <field name="data.name" negate="no" type="pcre2">(?i)(?:\-stdin|\-stdout|\-stderr)$</field>
        <field name="data.name" negate="yes" type="pcre2">(?i)^(?:PSEXESVC)</field>
    </rule>
    <rule id="900033" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
        </mitre>
        <description>Suspicious Access to Sensitive File Extensions - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.name" negate="no" type="pcre2">(?i)(?:\.pst|\.ost|\.msg|\.nst|\.oab|\.edb|\.nsf|\.bak|\.dmp|\.kirbi|\\+groups\.xml|\.rdp)$</field>
    </rule>
    <rule id="900034" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Transferring Files with Credential Data via Network Shares - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files,</group>
        <field name="data.name" negate="no" type="pcre2">(?i)^(?:\\+mimidrv|\\+lsass|\\+windows\\+minidump\\+|\\+hiberfil|\\+sqldmpr|\\+sam|\\+ntds\.dit|\\+security)$</field>
    </rule>
    <rule id="900035" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Kerberos Network Traffic RC4 Ticket Encryption</description>
        <options>no_full_log</options>
        <group>zeek,kerberos,</group>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:TGS)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:rc4\-hmac)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\$)</field>
    </rule>
    <rule id="900036" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.s0002</id>
            <id>attack.lateral_movement</id>
            <id>attack.credential_access</id>
            <id>car.2013-07-001</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Mimikatz Use</description>
        <options>no_full_log</options>
        <group>windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:dpapi::masterkey|eo\.oe\.kiwi|event::clear|event::drop|gentilkiwi\.com|kerberos::golden|kerberos::ptc|kerberos::ptt|kerberos::tgt|Kiwi\ Legit\ Printer|lsadump::|mimidrv\.sys|\\+mimilib\.dll|misc::printnightmare|misc::shadowcopies|misc::skeleton|privilege::backup|privilege::debug|privilege::driver|sekurlsa::)</field>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)^(?:15)$</field>
    </rule>
    <rule id="900037" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1211</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Malware Protection Engine Crash</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Application\ Error)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1000)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)MsMpEng\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)mpengine\.dll</field>
    </rule>
    <rule id="900038" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via WER - Application</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Application\ Error)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1000)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:lsass\.exe)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:c0000001)</field>
    </rule>
    <rule id="900039" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Ntdsutil Abuse</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:ESENT)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:216|325|326|327)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)ntds\.dit</field>
    </rule>
    <rule id="900040" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1211</id>
            <id>attack.credential_access</id>
            <id>attack.t1212</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>attack.impact</id>
            <id>attack.t1499.004</id>
        </mitre>
        <description>Audit CVE Event</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Audit\-CVE|Audit\-CVE)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1)$</field>
    </rule>
    <rule id="900041" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>Backup Catalog Deleted</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:524)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Backup)$</field>
    </rule>
    <rule id="900042" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1072</id>
        </mitre>
        <description>Restricted Software Access By SRP</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-SoftwareRestrictionPolicies)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:865|866|867|868|882)$</field>
    </rule>
    <rule id="900043" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Application Uninstalled</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MsiInstaller)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1034|11724)$</field>
    </rule>
    <rule id="900044" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>MSI Installation From Suspicious Locations</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MsiInstaller)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1040|1042)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i):\\+Windows\\+TEMP\\+|\\+|\\+Desktop\\+|\\+PerfLogs\\+|\\+Users\\+Public\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+WinGet\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+TEMP\\+UpdHealthTools\.msi</field>
    </rule>
    <rule id="900045" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>MSI Installation From Web</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MsiInstaller)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1040|1042)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)://</field>
    </rule>
    <rule id="900046" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1219</id>
        </mitre>
        <description>Atera Agent Installation</description>
        <options>no_full_log</options>
        <group>application,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1033)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MsiInstaller)$</field>
        <field name="win.system.message" negate="no" type="pcre2">(?i)AteraAgent</field>
    </rule>
    <rule id="900047" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>MSSQL Add Account To Sysadmin Role</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:33205)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)object_name:sysadmin</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:statement:alter\ server\ role\ \[sysadmin\]\ add\ member\ )</field>
    </rule>
    <rule id="900048" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>MSSQL Disable Audit Settings</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:33205)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)statement:ALTER\ SERVER\ AUDIT|statement:DROP\ SERVER\ AUDIT</field>
    </rule>
    <rule id="900049" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
        </mitre>
        <description>MSSQL Server Failed Logon</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:18456)$</field>
    </rule>
    <rule id="900050" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
        </mitre>
        <description>MSSQL Server Failed Logon From External Network</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:18456)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 10\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.16\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.17\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.18\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.19\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.20\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.21\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.22\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.23\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.24\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.25\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.26\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.27\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.28\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.29\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.30\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 172\.31\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 192\.168\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 127\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)CLIENT:\ 169\.254\.</field>
    </rule>
    <rule id="900051" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>MSSQL SPProcoption Set</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:33205)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)object_name:sp_procoption</field>
        <field name="full_log" negate="no" type="pcre2">(?i)statement:EXEC</field>
    </rule>
    <rule id="900052" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>MSSQL XPCmdshell Suspicious Execution</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:33205)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)object_name:xp_cmdshell</field>
        <field name="full_log" negate="no" type="pcre2">(?i)statement:EXEC</field>
    </rule>
    <rule id="900053" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>MSSQL XPCmdshell Option Change</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:MSSQLSERVER)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:15457)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)xp_cmdshell</field>
    </rule>
    <rule id="900054" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588</id>
        </mitre>
        <description>Relevant Anti-Virus Signature Keywords In Application Log</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:Adfind|ASP/BackDoor|ATK/|Backdoor\.ASP|Backdoor\.Cobalt|Backdoor\.JSP|Backdoor\.PHP|Blackworm|Brutel|BruteR|Chopper|Cobalt|COBEACON|Cometer|CRYPTES|Cryptor|Destructor|DumpCreds|Exploit\.Script\.CVE|FastReverseProxy|Filecoder|GrandCrab|HackTool|HKTL:|HKTL\.|HKTL/|HTool|IISExchgSpawnCMD|Impacket|JSP/BackDoor|Keylogger|Koadic|Krypt|Lazagne|Metasploit|Meterpreter|MeteTool|Mimikatz|Mpreter|Nighthawk|Packed\.Generic\.347|PentestPowerShell|Phobos|PHP/BackDoor|PowerSploit|PowerSSH|PshlSpy|PSWTool|PWCrack|PWDump|Ransom|Rozena|Ryzerlo|Sbelt|Seatbelt|SecurityTool|SharpDump|Sliver|Splinter|Swrort|Tescrypt|TeslaCrypt|Valyria|Webshell)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Keygen)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Crack)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:anti_ransomware_service\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:cyber\-protect\-service\.exe)</field>
        <field name="win.system.level" negate="yes" type="pcre2">(?i)^(?:4)$</field>
        <field name="win.eventdata.providerName" negate="yes" type="pcre2">(?i)^(?:Microsoft\-Windows\-RestartManager)$</field>
    </rule>
    <rule id="900055" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Command Execution</description>
        <options>no_full_log</options>
        <group>application,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:ScreenConnect)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:200)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Executed\ command\ of\ length</field>
    </rule>
    <rule id="900056" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect File Transfer</description>
        <options>no_full_log</options>
        <group>application,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:ScreenConnect)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:201)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Transferred\ files\ with\ action</field>
    </rule>
    <rule id="900057" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1211</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Malware Protection Engine Crash - WER</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Windows\ Error\ Reporting)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1001)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)MsMpEng\.exe</field>
        <field name="full_log" negate="no" type="pcre2">(?i)mpengine\.dll</field>
    </rule>
    <rule id="900058" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
            <id>attack.t1059.001</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.006</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>File Was Not Allowed To Run</description>
        <options>no_full_log</options>
        <group>windows,applocker,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:8004|8007|8022|8025)$</field>
    </rule>
    <rule id="900059" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Sysinternals Tools AppX Versions Execution</description>
        <options>no_full_log</options>
        <group>windows,appmodel-runtime,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:201)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:procdump\.exe|psloglist\.exe|psexec\.exe|livekd\.exe|ADExplorer\.exe)</field>
    </rule>
    <rule id="900060" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Deployment AppX Package Was Blocked By AppLocker</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:412)$</field>
    </rule>
    <rule id="900061" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Malicious AppX Package Installation Attempts</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:400|401)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)3669e262\-ec02\-4e9d\-bcb4\-3d008b4afac9</field>
    </rule>
    <rule id="900062" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Deployment Of The AppX Package Was Blocked By The Policy</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:441|442|453|454)$</field>
    </rule>
    <rule id="900063" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious AppX Package Installation Attempt</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:401)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:0x80073cff)</field>
    </rule>
    <rule id="900064" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Remote AppX Package Locations</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:854)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\.githubusercontent\.com|anonfiles\.com|cdn\.discordapp\.com|cdn\.discordapp\.com/attachments/|ddns\.net|dl\.dropboxusercontent\.com|ghostbin\.co|glitch\.me|gofile\.io|hastebin\.com|mediafire\.com|mega\.nz|onrender\.com|paste\.ee|pastebin\.com|pastebin\.pl|pastetext\.net|privatlab\.com|privatlab\.net|send\.exploit\.in|sendspace\.com|storage\.googleapis\.com|storjshare\.io|supabase\.co|temp\.sh|transfer\.sh|ufile\.io</field>
    </rule>
    <rule id="900065" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious AppX Package Locations</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:854)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)C:\\+Users\\+Public\\+|/users/public/|C:\\+PerfLogs\\+|C:/perflogs/|\\+Desktop\\+|/desktop/|\\+Downloads\\+|/Downloads/|C:\\+Windows\\+Temp\\+|C:/Windows/Temp/|\\+AppdData\\+Local\\+Temp\\+|/AppdData/Local/Temp/</field>
    </rule>
    <rule id="900066" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Uncommon AppX Package Locations</description>
        <options>no_full_log</options>
        <group>windows,appxdeployment-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:854)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SystemApps\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+PrintDialog\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)C:\\+Windows\\+ImmersiveControlPanel\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)x\-windowsupdate://</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)file:///C:/Program%20Files</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)https://statics\.teams\.cdn\.office\.net/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)microsoft\.com</field>
    </rule>
    <rule id="900067" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Digital Signature Of AppX Package</description>
        <options>no_full_log</options>
        <group>windows,appxpackaging-om,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:157)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:CN=Foresee\ Consulting\ Inc\.,\ O=Foresee\ Consulting\ Inc\.,\ L=North\ York,\ S=Ontario,\ C=CA,\ SERIALNUMBER=1004913\-1,\ OID\.1\.3\.6\.1\.4\.1\.311\.60\.2\.1\.3=CA,\ OID\.2\.5\.4\.15=Private\ Organization)</field>
    </rule>
    <rule id="900068" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>New BITS Job Created Via Bitsadmin</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="win.eventdata.processPath" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
    </rule>
    <rule id="900069" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>New BITS Job Created Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="win.eventdata.processPath" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
    </rule>
    <rule id="900070" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Downloading File Potential Suspicious Extension</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16403)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.bat|\.dll|\.exe|\.hta|\.ps1|\.psd1|\.sh|\.vbe|\.vbs)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.com</field>
    </rule>
    <rule id="900071" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Download From File Sharing Domains</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16403)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\.githubusercontent\.com|anonfiles\.com|cdn\.discordapp\.com|cdn\.discordapp\.com/attachments/|ddns\.net|dl\.dropboxusercontent\.com|ghostbin\.co|glitch\.me|gofile\.io|hastebin\.com|mediafire\.com|mega\.nz|onrender\.com|paste\.ee|pastebin\.com|pastebin\.pl|pastetext\.net|privatlab\.com|privatlab\.net|send\.exploit\.in|sendspace\.com|storage\.googleapis\.com|storjshare\.io|supabase\.co|temp\.sh|transfer\.sh|ufile\.io</field>
    </rule>
    <rule id="900072" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Download From Direct IP</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16403)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)http://1|http://2|http://3|http://4|http://5|http://6|http://7|http://8|http://9|https://1|https://2|https://3|https://4|https://5|https://6|https://7|https://8|https://9</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://10\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://192\.168\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.16\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.17\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.18\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.19\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.20\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.21\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.22\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.23\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.24\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.25\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.26\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.27\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.28\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.29\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.30\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://172\.31\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://127\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)://169\.254\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)https://7\-</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)http://7\-</field>
    </rule>
    <rule id="900073" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job With Uncommon Or Suspicious Remote TLD</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16403)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.azureedge\.net/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.com/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.sfx\.ms/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)download\.mozilla\.org/</field>
    </rule>
    <rule id="900074" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
        </mitre>
        <description>BITS Transfer Job Download To Potential Suspicious Folder</description>
        <options>no_full_log</options>
        <group>windows,bits-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16403)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Desktop\\+|C:\\+Users\\+Public\\+|C:\\+PerfLogs\\+</field>
    </rule>
    <rule id="900075" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>Certificate Private Key Acquired</description>
        <options>no_full_log</options>
        <group>windows,capi2,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:70)$</field>
    </rule>
    <rule id="900076" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>Certificate Exported From Local Certificate Store</description>
        <options>no_full_log</options>
        <group>windows,certificateservicesclient-lifecycle-system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1007)$</field>
    </rule>
    <rule id="900077" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>CodeIntegrity - Unmet Signing Level Requirements By File Under Validation</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3033|3034)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Windows\\+assembly\\+GAC\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+mscorsvw\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Windows\\+Microsoft\.NET\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
    </rule>
    <rule id="900078" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>CodeIntegrity - Unmet Signing Level Requirements By File Under Validation</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3033|3034)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+DTrace\\+dtrace\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+svchost\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Windows\\+System32\\+DriverStore\\+FileRepository\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+igd10iumd64\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+nvspcap64\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Keybase\\+Gui\\+Keybase\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+stage\\+Teams\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Bonjour\\+mdnsNSP\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+svchost\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+SIHClient\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Microsoft\ Office\\+root\\+vfs\\+ProgramFilesCommonX64\\+Microsoft\ Shared\\+OFFICE</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+MSOXMLMF\.DLL)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+nvspcap64\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+slack\\+app\-</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+slack\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Mozilla\ Firefox\\+mozavcodec\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Mozilla\ Firefox\\+mozavutil\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Mozilla\ Firefox\\+firefox\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Avast\ Software\\+Avast\\+aswAMSI\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Avast\ Software\\+Avast\\+aswAMSI\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+crashpad_handler\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Trend\ Micro\\+Client\ Server\ Security\ Agent\\+perficrcperfmonmgr\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+National\ Instruments\\+Shared\\+mDNS\ Responder\\+nimdnsNSP\.dll\ )</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+McAfee\\+Endpoint\ Security\\+Threat\ Prevention\\+MfeAmsiProvider\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+McAfee\\+MfeAV\\+AMSIExt\.dll)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+ESET\\+ESET\ Security\\+eamsi\.dll)</field>
    </rule>
    <rule id="900079" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3104)$</field>
    </rule>
    <rule id="900080" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>CodeIntegrity - Blocked Image/Driver Load For Policy Violation</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3077)$</field>
    </rule>
    <rule id="900081" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>CodeIntegrity - Blocked Driver Load With Revoked Certificate</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3023)$</field>
    </rule>
    <rule id="900082" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Revoked Kernel Driver Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3021|3022)$</field>
    </rule>
    <rule id="900083" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Blocked Image Load With Revoked Certificate</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3036)$</field>
    </rule>
    <rule id="900084" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Revoked Image Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3032|3035)$</field>
    </rule>
    <rule id="900085" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Unsigned Kernel Module Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3001)$</field>
    </rule>
    <rule id="900086" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Unsigned Image Loaded</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3037)$</field>
    </rule>
    <rule id="900087" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module</description>
        <options>no_full_log</options>
        <group>windows,codeintegrity-operational,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3082|3083)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:system32\\+drivers\\+vsock\.sys)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:System32\\+drivers\\+vmci\.sys)</field>
    </rule>
    <rule id="900088" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Loading Diagcab Package From Remote Path</description>
        <options>no_full_log</options>
        <group>windows,diagnosis-scripted,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:101)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+</field>
    </rule>
    <rule id="900089" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query for Anonfiles.com Domain - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3008)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.anonfiles\.com</field>
    </rule>
    <rule id="900090" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To MEGA Hosting Website - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3008)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)userstorage\.mega\.co\.nz</field>
    </rule>
    <rule id="900091" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.003</id>
        </mitre>
        <description>Query Tor Onion Address - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3008)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.onion</field>
    </rule>
    <rule id="900092" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To Ufile.io - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3008)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)ufile\.io</field>
    </rule>
    <rule id="900093" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3008)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:aaa\.stage\.|post\.1)</field>
    </rule>
    <rule id="900094" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - DNS Client</description>
        <options>no_full_log</options>
        <group>windows,dns-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3008)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.stage\.123456\.</field>
    </rule>
    <rule id="900095" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1590.002</id>
        </mitre>
        <description>Failed DNS Zone Transfer</description>
        <options>no_full_log</options>
        <group>windows,dns-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:6004)$</field>
    </rule>
    <rule id="900096" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DNS Server Error Failed Loading the ServerLevelPluginDLL</description>
        <options>no_full_log</options>
        <group>windows,dns-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:150|770|771)$</field>
    </rule>
    <rule id="900097" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1200</id>
        </mitre>
        <description>USB Device Plugged</description>
        <options>no_full_log</options>
        <group>windows,driver-framework,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2003|2100|2102)$</field>
    </rule>
    <rule id="900098" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Uncommon New Firewall Rule Added In Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2004|2071)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:2)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+PerfLogs\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Temp\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Users\\+Public\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+Tasks\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
    </rule>
    <rule id="900099" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Uncommon New Firewall Rule Added In Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2004|2071)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+MsMpEng\.exe</field>
    </rule>
    <rule id="900100" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2004|2071)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:2)</field>
    </rule>
    <rule id="900101" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>All Rules Have Been Deleted From The Windows Firewall Configuration</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2033|2059)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+svchost\.exe)</field>
    </rule>
    <rule id="900102" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>All Rules Have Been Deleted From The Windows Firewall Configuration</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2033|2059)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+MsMpEng\.exe</field>
    </rule>
    <rule id="900103" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>A Rule Has Been Deleted From The Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2006|2052)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+System32\\+svchost\.exe)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:None)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:)</field>
    </rule>
    <rule id="900104" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>A Rule Has Been Deleted From The Windows Firewall Exception List</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2006|2052)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)</field>
    </rule>
    <rule id="900105" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>The Windows Defender Firewall Service Failed To Load Group Policy</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2009)$</field>
    </rule>
    <rule id="900106" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Windows Defender Firewall Has Been Reset To Its Default Configuration</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2032|2060)$</field>
    </rule>
    <rule id="900107" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Windows Firewall Settings Have Been Changed</description>
        <options>no_full_log</options>
        <group>windows,firewall-as,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:2002|2083|2003|2082|2008)$</field>
    </rule>
    <rule id="900108" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.002</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
        </mitre>
        <description>Potential Active Directory Reconnaissance/Enumeration Via LDAP</description>
        <options>no_full_log</options>
        <group>windows,ldap,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:30)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483648$|$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483656$|$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483652$|$groupType:1\.2\.840\.113556\.1\.4\.803:=2147483650$|$sAMAccountType=805306369$|$sAMAccountType=805306368$|$sAMAccountType=536870913$|$sAMAccountType=536870912$|$sAMAccountType=268435457$|$sAMAccountType=268435456$|$objectCategory=groupPolicyContainer$|$objectCategory=organizationalUnit$|$objectCategory=Computer$|$objectCategory=nTDSDSA$|$objectCategory=server$|$objectCategory=domain$|$objectCategory=person$|$objectCategory=group$|$objectCategory=user$|$objectClass=trustedDomain$|$objectClass=computer$|$objectClass=server$|$objectClass=group$|$objectClass=user$|$primaryGroupID=521$|$primaryGroupID=516$|$primaryGroupID=515$|$primaryGroupID=512$|Domain\ Admins|objectGUID=\\+.+|$schemaIDGUID=\\+.+$</field>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)^(?:30)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)$domainSid=.+$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)$objectSid=.+$</field>
    </rule>
    <rule id="900109" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.002</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
        </mitre>
        <description>Potential Active Directory Reconnaissance/Enumeration Via LDAP</description>
        <options>no_full_log</options>
        <group>windows,ldap,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:30)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=4194304$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=2097152$|!$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=1048574$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=524288$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=65536$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=8192$|$userAccountControl:1\.2\.840\.113556\.1\.4\.803:=544$|!$UserAccountControl:1\.2\.840\.113556\.1\.4\.803:=2$|msDS\-AllowedToActOnBehalfOfOtherIdentity|msDS\-AllowedToDelegateTo|msDS\-GroupManagedServiceAccount|$accountExpires=9223372036854775807$|$accountExpires=0$|$adminCount=1$|ms\-MCS\-AdmPwd</field>
    </rule>
    <rule id="900110" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Standard User In High Privileged Group</description>
        <options>no_full_log</options>
        <group>windows,lsa-server,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:300)$</field>
        <field name="win.eventdata.targetUserSid" negate="no" type="pcre2">(?i)^(?:S\-1\-5\-21\-)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)S\-1\-5\-32\-544|\-500\}|\-518\}|\-519\}</field>
        <field name="win.eventdata.targetUserSid" negate="yes" type="pcre2">(?i)(?:\-500)$</field>
        <field name="win.eventdata.targetUserSid" negate="yes" type="pcre2">(?i)(?:\-518)$</field>
        <field name="win.eventdata.targetUserSid" negate="yes" type="pcre2">(?i)(?:\-519)$</field>
    </rule>
    <rule id="900111" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1587.001</id>
            <id>attack.resource_development</id>
        </mitre>
        <description>ProxyLogon MSExchange OabVirtualDirectory</description>
        <options>no_full_log</options>
        <group>windows,msexchange-management,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:OabVirtualDirectory|\ \-ExternalUrl\ )</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:eval$request|http://f/&lt;script|"unsafe"\};|function\ Page_Load\($)</field>
    </rule>
    <rule id="900112" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Certificate Request Export to Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:New\-ExchangeCertificate|\ \-GenerateRequest|\ \-BinaryEncoded|\ \-RequestFile)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+localhost\\+C\$|\\+127\.0\.0\.1\\+C\$|C:\\+inetpub|\.aspx)</field>
    </rule>
    <rule id="900113" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Mailbox Export to Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:New\-MailboxExportRequest|\ \-Mailbox\ )</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-FilePath\ "\\+|\.aspx)</field>
    </rule>
    <rule id="900114" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Mailbox Export to Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:New\-ManagementRoleAssignment|\ \-Role\ "Mailbox\ Import\ Export"|\ \-User\ )</field>
    </rule>
    <rule id="900115" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>Remove Exported Mailbox from Exchange Webserver</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:Remove\-MailboxExportRequest|\ \-Identity\ |\ \-Confirm\ "False")</field>
    </rule>
    <rule id="900116" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Exchange Set OabVirtualDirectory ExternalUrl Property</description>
        <options>no_full_log</options>
        <group>windows,msexchange-management,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:Set\-OabVirtualDirectory|ExternalUrl|Page_Load|script)</field>
    </rule>
    <rule id="900117" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.002</id>
        </mitre>
        <description>MSExchange Transport Agent Installation - Builtin</description>
        <options>no_full_log</options>
        <group>windows,msexchange-management,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:Install\-TransportAgent)</field>
    </rule>
    <rule id="900118" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.002</id>
        </mitre>
        <description>Failed MSExchange Transport Agent Installation</description>
        <options>no_full_log</options>
        <group>msexchange-management,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:6)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Install\-TransportAgent</field>
    </rule>
    <rule id="900119" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>NTLM Logon</description>
        <options>no_full_log</options>
        <group>windows,ntlm,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:8002)$</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i).+</field>
    </rule>
    <rule id="900120" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
        </mitre>
        <description>NTLM Brute Force</description>
        <options>no_full_log</options>
        <group>windows,ntlm,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:8004)$</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)^(?:Rdesktop|Remmina|Freerdp|Windows7|Windows8|Windows2012|Windows2016|Windows2019)$</field>
    </rule>
    <rule id="900121" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Potential Remote Desktop Connection to Non-Domain Host</description>
        <options>no_full_log</options>
        <group>windows,ntlm,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:8001)$</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)^(?:TERMSRV)</field>
    </rule>
    <rule id="900122" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.004</id>
        </mitre>
        <description>OpenSSH Server Listening On Socket</description>
        <options>no_full_log</options>
        <group>windows,openssh,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:sshd)</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)^(?:Server\ listening\ on\ )</field>
    </rule>
    <rule id="900123" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
        </mitre>
        <description>Azure AD Health Monitoring Agent Registry Keys Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656|4663)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:Key)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:\\+REGISTRY\\+MACHINE\\+SOFTWARE\\+Microsoft\\+Microsoft\ Online\\+Reporting\\+MonitoringAgent)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.DiagnosticsAgent\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.InsightsService\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.MonitoringAgent\.Startup\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.PshSurrogate\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Common\.Clients\.ResourceMonitor\.exe</field>
    </rule>
    <rule id="900124" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
        </mitre>
        <description>Azure AD Health Service Agents Registry Keys Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656|4663)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:Key)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:\\+REGISTRY\\+MACHINE\\+SOFTWARE\\+Microsoft\\+ADHealthAgent)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.DiagnosticsAgent\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.InsightsService\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.MonitoringAgent\.Startup\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Adfs\.PshSurrogate\.exe</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)Microsoft\.Identity\.Health\.Common\.Clients\.ResourceMonitor\.exe</field>
    </rule>
    <rule id="900125" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>Powerview Add-DomainObjectAcl DCSync AD Extend Right</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5136)$</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)^(?:ntSecurityDescriptor)$</field>
        <field name="win.eventdata.attributeValue" negate="no" type="pcre2">(?i)1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2|1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2|89e95b76\-444d\-4c62\-991a\-0facbeda640c</field>
        <field name="win.eventdata.objectClass" negate="yes" type="pcre2">(?i)^(?:dnsNode)$</field>
        <field name="win.eventdata.objectClass" negate="yes" type="pcre2">(?i)^(?:dnsZoneScope)$</field>
        <field name="win.eventdata.objectClass" negate="yes" type="pcre2">(?i)^(?:dnsZone)$</field>
    </rule>
    <rule id="900126" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>AD Privileged Users or Groups Reconnaissance</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4661)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:SAM_USER|SAM_GROUP)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\-512|\-502|\-500|\-505|\-519|\-520|\-544|\-551|\-555)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)admin</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900127" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4898)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900128" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4899)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900129" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability with Risky EKU</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4898)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900130" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>ADCS Certificate Template Configuration Vulnerability with Risky EKU</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4898)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4899)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0</field>
        <field name="full_log" negate="no" type="pcre2">(?i)CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT</field>
    </rule>
    <rule id="900131" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1207</id>
        </mitre>
        <description>Add or Remove Computer from DC</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4741|4743)$</field>
    </rule>
    <rule id="900132" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Access To ADMIN$ Network Share</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5140)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:Admin\$)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900133" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1222.001</id>
        </mitre>
        <description>AD Object WriteDAC Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4662)$</field>
        <field name="win.eventdata.objectServer" negate="no" type="pcre2">(?i)^(?:DS)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x40000)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:19195a5b\-6da0\-11d0\-afd3\-00c04fd930c9|domainDNS)$</field>
    </rule>
    <rule id="900134" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Active Directory Replication from Non Machine Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4662)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x100)$</field>
        <field name="win.eventdata.properties" negate="no" type="pcre2">(?i)1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2|1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2|89e95b76\-444d\-4c62\-991a\-0facbeda640c</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:MSOL_)</field>
    </rule>
    <rule id="900135" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>Potential AD User Enumeration From Non-Machine Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4662)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)bf967aba\-0de6\-11d0\-a285\-00aa003049e2</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)(?:1.|3.|4.|7.|9.|B.|D.|F.)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:MSOL_)</field>
    </rule>
    <rule id="900136" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4738)$</field>
        <field name="win.eventdata.allowedToDelegateTo" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.allowedToDelegateTo" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.allowedToDelegateTo" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900137" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4738)$</field>
    </rule>
    <rule id="900138" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5136)$</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)^(?:msDS\-AllowedToDelegateTo)$</field>
    </rule>
    <rule id="900139" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5136)$</field>
        <field name="win.eventdata.objectClass" negate="no" type="pcre2">(?i)^(?:user)$</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)^(?:servicePrincipalName)$</field>
    </rule>
    <rule id="900140" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1098</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Active Directory User Backdoors</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5136)$</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)^(?:msDS\-AllowedToActOnBehalfOfOtherIdentity)$</field>
    </rule>
    <rule id="900141" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Weak Encryption Enabled and Kerberoast</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4738)$</field>
        <field name="win.eventdata.newUacValue" negate="no" type="pcre2">(?i)(?:8...|9...|A...|B...|C...|D...|E...|F...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:8...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:9...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:A...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:B...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:C...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:D...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:E...)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:F...)$</field>
    </rule>
    <rule id="900142" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Weak Encryption Enabled and Kerberoast</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4738)$</field>
        <field name="win.eventdata.newUacValue" negate="no" type="pcre2">(?i)(?:8...|9...|A...|B...|C...|D...|E...|F...)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:1....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:3....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:5....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:7....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:9....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:B....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:D....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:F....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:1....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:3....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:5....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:7....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:9....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:B....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:D....)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:F....)$</field>
    </rule>
    <rule id="900143" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Weak Encryption Enabled and Kerberoast</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4738)$</field>
        <field name="win.eventdata.newUacValue" negate="no" type="pcre2">(?i)(?:8...|9...|A...|B...|C...|D...|E...|F...)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:1....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:3....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:5....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:7....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:9....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:B....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:D....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:F....)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:8..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:9..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:A..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:B..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:C..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:D..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:E..)$</field>
        <field name="win.eventdata.newUacValue" negate="yes" type="pcre2">(?i)(?:F..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:8..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:9..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:A..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:B..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:C..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:D..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:E..)$</field>
        <field name="win.eventdata.oldUacValue" negate="yes" type="pcre2">(?i)(?:F..)$</field>
    </rule>
    <rule id="900144" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1087</id>
            <id>attack.t1114</id>
            <id>attack.t1059</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Hacktool Ruler</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4776)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:RULER)</field>
    </rule>
    <rule id="900145" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1087</id>
            <id>attack.t1114</id>
            <id>attack.t1059</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Hacktool Ruler</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624|4625)$</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)^(?:RULER)$</field>
    </rule>
    <rule id="900146" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.persistence</id>
            <id>car.2013-05-004</id>
            <id>car.2015-04-001</id>
            <id>attack.t1053.002</id>
        </mitre>
        <description>Remote Task Creation via ATSVC Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)^(?:atsvc)$</field>
        <field name="win.eventdata.accesses" negate="no" type="pcre2">(?i)WriteData</field>
    </rule>
    <rule id="900147" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Security Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:517)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Security)$</field>
    </rule>
    <rule id="900148" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Security Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1102)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Eventlog)$</field>
    </rule>
    <rule id="900149" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1123</id>
        </mitre>
        <description>Processes Accessing the Microphone and Webcam</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4657|4656|4663)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+CapabilityAccessManager\\+ConsentStore\\+microphone\\+NonPackaged|\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+CapabilityAccessManager\\+ConsentStore\\+webcam\\+NonPackaged</field>
    </rule>
    <rule id="900150" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)ADMIN\$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\.exe</field>
    </rule>
    <rule id="900151" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)%COMSPEC%</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900152" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell\ \-nop\ \-w\ hidden\ \-encodedcommand</field>
    </rule>
    <rule id="900153" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">IEX\ $New\-Object\ Net\.Webclient$\.DownloadString\('http://127\.0\.0\.1:</field>
    </rule>
    <rule id="900154" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.001</id>
        </mitre>
        <description>Failed Code Integrity Checks</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5038|6281)$</field>
    </rule>
    <rule id="900155" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>DCERPC SMB Spoolss Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)^(?:spoolss)$</field>
    </rule>
    <rule id="900156" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>DCOM InternetExplorer.Application Iertutil DLL Hijack - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iertutil\.dll)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900157" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.s0002</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Mimikatz DC Sync</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4662)$</field>
        <field name="win.eventdata.properties" negate="no" type="pcre2">(?i)Replicating\ Directory\ Changes\ All|1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2|1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2|9923a32a\-3607\-11d2\-b9be\-0000f87a36b2|89e95b76\-444d\-4c62\-991a\-0facbeda640c</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x100)$</field>
        <field name="win.eventdata.subjectDomainName" negate="yes" type="pcre2">(?i)^(?:Window\ Manager)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:NT\ AUT)</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)^(?:MSOL_)</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900158" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1200</id>
        </mitre>
        <description>Device Installation Blocked</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:6423)$</field>
    </rule>
    <rule id="900159" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Windows Event Auditing Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4719)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)%%8448|%%8450</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9210\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9211\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9212\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9215\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9217\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE921B\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE922B\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE922F\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9230\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9235\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9236\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9237\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE923F\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9240\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\{0CCE9242\-69AE\-11D9\-BED3\-505054503030\})</field>
    </rule>
    <rule id="900160" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Important Windows Event Auditing Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4719)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\{0CCE9210\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9211\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9212\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9215\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE921B\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE922B\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE922F\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9230\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9235\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9236\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9237\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE923F\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9240\-69AE\-11D9\-BED3\-505054503030\}|\{0CCE9242\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="no" type="pcre2">(?i)%%8448|%%8450</field>
    </rule>
    <rule id="900161" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Important Windows Event Auditing Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4719)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\{0CCE9217\-69AE\-11D9\-BED3\-505054503030\})</field>
        <field name="full_log" negate="no" type="pcre2">(?i)%%8448</field>
    </rule>
    <rule id="900162" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Registry</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4657)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+\.NETFramework)$</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)^(?:ETWEnabled)$</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)^(?:0)$</field>
    </rule>
    <rule id="900163" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Registry</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4657)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Environment</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)^(?:COMPlus_ETWEnabled|COMPlus_ETWFlags)$</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)^(?:0)$</field>
    </rule>
    <rule id="900164" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.004</id>
        </mitre>
        <description>DPAPI Domain Backup Key Extraction</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4662)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:SecretObject)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x2)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)BCKUPKEY</field>
    </rule>
    <rule id="900165" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.004</id>
        </mitre>
        <description>DPAPI Domain Master Key Backup Attempt</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4692)$</field>
    </rule>
    <rule id="900166" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Persistence and Execution at Scale via GPO Scheduled Task</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+SYSVOL)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:ScheduledTasks\.xml)$</field>
        <field name="win.eventdata.accesses" negate="no" type="pcre2">(?i)WriteData|%%4417</field>
    </rule>
    <rule id="900167" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>Hidden Local User Creation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4720)$</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)^(?:HomeGroupUser\$)$</field>
    </rule>
    <rule id="900168" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>HackTool - EDRSilencer Execution - Filter Added</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5441|5447)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Custom\ Outbound\ Filter</field>
    </rule>
    <rule id="900169" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134</id>
            <id>attack.t1134.001</id>
        </mitre>
        <description>HackTool - NoFilter Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5447)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)RonPolicy</field>
    </rule>
    <rule id="900170" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134</id>
            <id>attack.t1134.001</id>
        </mitre>
        <description>HackTool - NoFilter Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5449)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)RonPolicy</field>
    </rule>
    <rule id="900171" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1554</id>
        </mitre>
        <description>HybridConnectionManager Service Installation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:HybridConnectionManager)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)HybridConnectionManager</field>
    </rule>
    <rule id="900172" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Impacket PsExec Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)RemCom_stdin|RemCom_stdout|RemCom_stderr</field>
    </rule>
    <rule id="900173" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Possible Impacket SecretDump Remote Activity</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+ADMIN\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)SYSTEM32\\+</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)\.tmp</field>
    </rule>
    <rule id="900174" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)clipboard\]::</field>
    </rule>
    <rule id="900175" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)"set</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="900176" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)readtoend</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
    </rule>
    <rule id="900177" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900178" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)environment|invoke|\$\{input\)</field>
    </rule>
    <rule id="900179" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\(Clipboard\|i</field>
    </rule>
    <rule id="900180" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)window\.close</field>
    </rule>
    <rule id="900181" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900182" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\&amp;\&amp;set</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\{0\}|\{1\}|\{2\}|\{3\}|\{4\}|\{5\}</field>
    </rule>
    <rule id="900183" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO Image Mounted</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4663)$</field>
        <field name="win.eventdata.objectServer" negate="no" type="pcre2">(?i)^(?:Security)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:File)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:\\+Device\\+CdRom)</field>
        <field name="win.eventdata.objectName" negate="yes" type="pcre2">(?i)^(?:\\+Device\\+CdRom0\\+autorun\.ico)$</field>
        <field name="win.eventdata.objectName" negate="yes" type="pcre2">(?i)^(?:\\+Device\\+CdRom0\\+setup\.exe)$</field>
        <field name="win.eventdata.objectName" negate="yes" type="pcre2">(?i)^(?:\\+Device\\+CdRom0\\+setup64\.exe)$</field>
    </rule>
    <rule id="900184" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>First Time Seen Remote Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:atsvc)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:samr)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:lsarpc)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:lsass)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:winreg)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:netlogon)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:srvsvc)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:protected_storage)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:wkssvc)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:browser)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:netdfs)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:svcctl)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:spoolss)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:ntsvcs)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:LSM_API_service)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:HydraLsPipe)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:TermSrv_API_service)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:MsFteWds)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:sql\\+query)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:eventlog)$</field>
    </rule>
    <rule id="900185" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Access From Non System Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4663|4656)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x100000|0x1010|0x1400|0x1410|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40|143a|1f0fff|1f1fff|1f2fff|1f3fff)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:Process)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.accessMask" negate="yes" type="pcre2">(?i)^(?:0x1410)$</field>
    </rule>
    <rule id="900186" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Access From Non System Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4663|4656)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x100000|0x1010|0x1400|0x1410|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40|143a|1f0fff|1f1fff|1f2fff|1f3fff)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:Process)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)\\+SteamLibrary\\+steamapps\\+</field>
    </rule>
    <rule id="900187" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
            <id>attack.t1569.002</id>
            <id>attack.s0005</id>
        </mitre>
        <description>Credential Dumping Tools Service Execution - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cachedump|dumpsvc|fgexec|gsecdump|mimidrv|pwdump|servpw</field>
    </rule>
    <rule id="900188" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1003</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Malicious Service Installations</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:javamtsup)$</field>
    </rule>
    <rule id="900189" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.s0005</id>
        </mitre>
        <description>WCE wceaux.dll Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656|4658|4660|4663)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+wceaux\.dll)$</field>
    </rule>
    <rule id="900190" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Metasploit SMB Authentication</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4625|4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)^(?:NTLM)$</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)^[A-Za-z0-9]{16}$</field>
    </rule>
    <rule id="900191" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Metasploit SMB Authentication</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4776)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)[A-Za-z0-9]{16}</field>
    </rule>
    <rule id="900192" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1570</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Metasploit Or Impacket Service Installation Via SMB PsExec</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)^%systemroot%\\+[a-zA-Z]{8}\.exe$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:3)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:0x10)</field>
        <field name="win.eventdata.serviceName" negate="yes" type="pcre2">(?i)^(?:PSEXESVC)$</field>
    </rule>
    <rule id="900193" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\\+pipe\\+</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)cmd|%COMSPEC%</field>
    </rule>
    <rule id="900194" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)\.dll,a</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)/p:</field>
    </rule>
    <rule id="900195" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)^(?:\\+127\.0\.0\.1\\+ADMIN\$\\+)</field>
    </rule>
    <rule id="900196" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>NetNTLM Downgrade Attack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4657)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+REGISTRY\\+MACHINE\\+SYSTEM</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Control\\+Lsa</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)^(?:LmCompatibilityLevel|NtlmMinClientSec|RestrictSendingNTLMTraffic)$</field>
    </rule>
    <rule id="900197" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>Windows Network Access Suspicious desktop.ini Action</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:File)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\\+desktop\.ini)$</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)WriteData|DELETE|WriteDAC|AppendData|AddSubdirectory</field>
    </rule>
    <rule id="900198" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New or Renamed User Account with '$' Character</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4720)$</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)\$</field>
    </rule>
    <rule id="900199" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New or Renamed User Account with '$' Character</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4781)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\$</field>
    </rule>
    <rule id="900200" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New or Renamed User Account with '$' Character</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)^(?:4720)$</field>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)^(?:HomeGroupUser\$)$</field>
    </rule>
    <rule id="900201" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>Denied Access To Remote Desktop</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4825)$</field>
    </rule>
    <rule id="900202" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1201</id>
        </mitre>
        <description>Password Policy Enumerated</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4661)$</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)%%5392</field>
        <field name="win.eventdata.objectServer" negate="no" type="pcre2">(?i)^(?:Security\ Account\ Manager)$</field>
    </rule>
    <rule id="900203" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pcap_drivers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.t1040</id>
        </mitre>
        <description>Windows Pcap Drivers</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)pcap|npcap|npf|nm3|ndiscap|nmnt|windivert|USBPcap|pktmon</field>
    </rule>
    <rule id="900204" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1187</id>
        </mitre>
        <description>Possible PetitPotam Coerce Authentication Attempt</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+)</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)(?:\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)^(?:lsarpc)$</field>
        <field name="win.eventdata.subjectUserName" negate="no" type="pcre2">(?i)^(?:ANONYMOUS\ LOGON)$</field>
    </rule>
    <rule id="900205" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1187</id>
        </mitre>
        <description>PetitPotam Suspicious Kerberos TGT Request</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4768)$</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)(?:\$)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i).+</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)^(?:::1)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:)</field>
    </rule>
    <rule id="900206" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1207</id>
        </mitre>
        <description>Possible DC Shadow Attack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4742)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)GC/</field>
    </rule>
    <rule id="900207" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1207</id>
        </mitre>
        <description>Possible DC Shadow Attack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5136)$</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)^(?:servicePrincipalName)$</field>
        <field name="win.eventdata.attributeValue" negate="no" type="pcre2">(?i)^(?:GC/)</field>
    </rule>
    <rule id="900208" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PowerShell Scripts Installed as Services - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)powershell|pwsh</field>
    </rule>
    <rule id="900209" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Protected Storage Service Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)IPC</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)^(?:protected_storage)$</field>
    </rule>
    <rule id="900210" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1090.001</id>
            <id>attack.t1090.002</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>RDP over Reverse SSH Tunnel WFP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5156)$</field>
        <field name="win.eventdata.sourcePort" negate="no" type="pcre2">(?i)^(?:3389)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:127\..+|::1)</field>
    </rule>
    <rule id="900211" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1090.001</id>
            <id>attack.t1090.002</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>RDP over Reverse SSH Tunnel WFP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5156)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:3389)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:127\..+|::1)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:AppContainer\ Loopback)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
    </rule>
    <rule id="900212" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Register new Logon Process by Rubeus</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4611)$</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)^(?:User32LogonProcesss)$</field>
    </rule>
    <rule id="900213" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Service Registry Key Read Access Request</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4663)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+SYSTEM\\+</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)ControlSet\\+Services\\+</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)%%1538</field>
    </rule>
    <rule id="900214" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Remote PowerShell Sessions Network Connections (WinRM)</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5156)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:5985|5986)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:44)</field>
    </rule>
    <rule id="900215" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
        </mitre>
        <description>Replay Attack Detected</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4649)$</field>
    </rule>
    <rule id="900216" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
            <id>attack.credential_access</id>
            <id>attack.t1552.002</id>
        </mitre>
        <description>SAM Registry Hive Handle Request</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:Key)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+SAM)$</field>
    </rule>
    <rule id="900217" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1010</id>
        </mitre>
        <description>SCM Database Handle Failure</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:SC_MANAGER\ OBJECT)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:ServicesActive)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0xf003f)$</field>
        <field name="win.eventdata.subjectLogonId" negate="yes" type="pcre2">(?i)^(?:0x3e4)$</field>
    </rule>
    <rule id="900218" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>SCM Database Privileged Operation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4674)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:SC_MANAGER\ OBJECT)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:servicesactive)$</field>
        <field name="win.eventdata.privilegeList" negate="no" type="pcre2">(?i)^(?:SeTakeOwnershipPrivilege)$</field>
        <field name="win.eventdata.subjectLogonId" negate="yes" type="pcre2">(?i)^(?:0x3e4)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+services\.exe)$</field>
    </rule>
    <rule id="900219" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Remote Access Tool Services Have Been Installed - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)AmmyyAdmin|Atera|BASupportExpressSrvcUpdater|BASupportExpressStandaloneService|chromoting|GoToAssist|GoToMyPC|jumpcloud|LMIGuardianSvc|LogMeIn|monblanking|Parsec|RManService|RPCPerformanceService|RPCService|SplashtopRemoteService|SSUService|TeamViewer|TightVNC|vncserver|Zoho</field>
    </rule>
    <rule id="900220" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>SMB Create Remote File Admin Share</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)(?:C\$)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x2)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900221" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A New Trust Was Created To A Domain</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4706)$</field>
    </rule>
    <rule id="900222" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.005</id>
        </mitre>
        <description>Addition of SID History to Active Directory Object</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4765|4766)$</field>
    </rule>
    <rule id="900223" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.005</id>
        </mitre>
        <description>Addition of SID History to Active Directory Object</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4738)$</field>
        <field name="win.eventdata.sidHistory" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.sidHistory" negate="yes" type="pcre2">(?i)^(?:%%1793)$</field>
        <field name="win.eventdata.sidHistory" negate="no" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900224" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2021.42278</id>
            <id>cve.2021.42287</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Win Susp Computer Name Containing Samtheadmin</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)^(?:SAMTHEADMIN\-)</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900225" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2021.42278</id>
            <id>cve.2021.42287</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Win Susp Computer Name Containing Samtheadmin</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:SAMTHEADMIN\-)</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900226" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>Password Change on Directory Service Restore Mode (DSRM) Account</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4794)$</field>
    </rule>
    <rule id="900227" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.initial_access</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Account Tampering - Suspicious Failed Logon Reasons</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4625|4776)$</field>
        <field name="win.eventdata.status" negate="no" type="pcre2">(?i)^(?:0xC0000072|0xC000006F|0xC0000070|0xC0000413|0xC000018C|0xC000015B)$</field>
        <field name="win.eventdata.subjectUserSid" negate="yes" type="pcre2">(?i)^(?:S\-1\-0\-0)$</field>
    </rule>
    <rule id="900228" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1212</id>
        </mitre>
        <description>Kerberos Manipulation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:675|4768|4769|4771)$</field>
        <field name="win.eventdata.status" negate="no" type="pcre2">(?i)^(?:0x9|0xA|0xB|0xF|0x10|0x11|0x13|0x14|0x1A|0x1F|0x21|0x22|0x23|0x24|0x26|0x27|0x28|0x29|0x2C|0x2D|0x2E|0x2F|0x31|0x32|0x3E|0x3F|0x40|0x41|0x43|0x44)$</field>
    </rule>
    <rule id="900229" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1001.003</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Suspicious LDAP-Attributes Used</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5136)$</field>
        <field name="win.eventdata.attributeValue" negate="no" type="pcre2">(?i).+</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)^(?:primaryInternationalISDNNumber|otherFacsimileTelephoneNumber|primaryTelexNumber)$</field>
    </rule>
    <rule id="900230" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
            <id>attack.t1136.002</id>
        </mitre>
        <description>Suspicious Windows ANONYMOUS LOGON Local Account Created</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4720)$</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)ANONYMOUS</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)LOGON</field>
    </rule>
    <rule id="900231" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1078</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>Suspicious Remote Logon with Explicit Credentials</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4648)$</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+winrs\.exe|\\+wmic\.exe|\\+net\.exe|\\+net1\.exe|\\+reg\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:localhost)</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900232" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Password Dumper Activity on LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656)$</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x705)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:SAM_DOMAIN)$</field>
    </rule>
    <rule id="900233" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)0x40|0x1400|0x100000|0x1410|0x1010|0x1438|0x143a|0x1418|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff</field>
    </rule>
    <rule id="900234" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4663)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)4484|4416</field>
    </rule>
    <rule id="900235" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+csrss\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+GamingServices\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+lsm\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+MicrosoftEdgeUpdate\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+minionhost\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+MRT\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+perfmon\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+taskmgr\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+VsTskMgr\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+wininit\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+wmiprvse\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:RtkAudUService64)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+SysNative\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWow64\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+taskhostw\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+CCM\\+CcmExec\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Sysmon64\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\-sc\\+aurora\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\-64\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+x64\\+SCENARIOENGINE\.EXE)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+is\-</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+avira_system_speedup\.tmp)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+avira_speedup_setup_update\.tmp)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+snmp\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i):\\+Windows\\+SystemTemp\\+</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+GoogleUpdate\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
    </rule>
    <rule id="900236" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>car.2019-04-004</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potentially Suspicious AccessMask Requested From LSASS</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.accessList" negate="yes" type="pcre2">(?i)%%4484</field>
    </rule>
    <rule id="900237" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.002</id>
            <id>attack.s0039</id>
        </mitre>
        <description>Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4661)$</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:0x2d)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:SAM_USER|SAM_GROUP)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)^(?:S\-1\-5\-21\-)</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\-500|\-512)$</field>
    </rule>
    <rule id="900238" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Password Protected ZIP File Opened</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5379)$</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename</field>
        <field name="win.eventdata.targetName" negate="yes" type="pcre2">(?i)\\+Temporary\ Internet\ Files\\+Content\.Outlook</field>
    </rule>
    <rule id="900239" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.t1105</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Password Protected ZIP File Opened (Suspicious Filenames)</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5379)$</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)invoice|new\ order|rechnung|factura|delivery|purchase|order|payment</field>
    </rule>
    <rule id="900240" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.initial_access</id>
            <id>attack.t1027</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Password Protected ZIP File Opened (Email Attachment)</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5379)$</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename</field>
        <field name="win.eventdata.targetName" negate="no" type="pcre2">(?i)\\+Temporary\ Internet\ Files\\+Content\.Outlook</field>
    </rule>
    <rule id="900241" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5156)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:88)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:\\+device\\+harddiskvolume)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:C:)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+lsass\.exe)$</field>
    </rule>
    <rule id="900242" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5156)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:88)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:\\+device\\+harddiskvolume)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:C:)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:\\+device\\+harddiskvolume)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)^(?:C:)</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.application" negate="yes" type="pcre2">(?i)(?:\\+tomcat\\+bin\\+tomcat8\.exe)$</field>
    </rule>
    <rule id="900243" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1556</id>
        </mitre>
        <description>Possible Shadow Credentials Added</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5136)$</field>
        <field name="win.eventdata.attributeLDAPDisplayName" negate="no" type="pcre2">(?i)^(?:msDS\-KeyCredentialLink)$</field>
    </rule>
    <rule id="900244" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Suspicious PsExec Execution</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\-stdin|\-stdout|\-stderr)$</field>
        <field name="win.eventdata.relativeTargetName" negate="yes" type="pcre2">(?i)^(?:PSEXESVC)</field>
    </rule>
    <rule id="900245" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1039</id>
        </mitre>
        <description>Suspicious Access to Sensitive File Extensions</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\.bak|\.dmp|\.edb|\.kirbi|\.msg|\.nsf|\.nst|\.oab|\.ost|\.pst|\.rdp|\\+groups\.xml)$</field>
    </rule>
    <rule id="900246" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Suspicious Kerberos RC4 Ticket Encryption</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4769)$</field>
        <field name="win.eventdata.ticketOptions" negate="no" type="pcre2">(?i)^(?:0x40810000)$</field>
        <field name="win.eventdata.ticketEncryptionType" negate="no" type="pcre2">(?i)^(?:0x17)$</field>
        <field name="win.eventdata.serviceName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900247" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Important Scheduled Task Deleted/Disabled</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4699|4701)$</field>
        <field name="win.eventdata.taskName" negate="no" type="pcre2">(?i)\\+Windows\\+SystemRestore\\+SR|\\+Windows\\+Windows\ Defender\\+|\\+Windows\\+BitLocker|\\+Windows\\+WindowsBackup\\+|\\+Windows\\+WindowsUpdate\\+|\\+Windows\\+UpdateOrchestrator\\+Schedule|\\+Windows\\+ExploitGuard</field>
        <field name="win.system.eventID" negate="yes" type="pcre2">(?i)^(?:4699)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.taskName" negate="yes" type="pcre2">(?i)\\+Windows\\+Windows\ Defender\\+</field>
    </rule>
    <rule id="900248" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
            <id>attack.t1027.005</id>
            <id>attack.t1485</id>
            <id>attack.t1553.002</id>
            <id>attack.s0195</id>
        </mitre>
        <description>Secure Deletion with SDelete</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656|4663|4658)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:\.AAA|\.ZZZ)$</field>
    </rule>
    <rule id="900249" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.006</id>
        </mitre>
        <description>Unauthorized System Time Modification</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4616)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+VMware\\+VMware\ Tools\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+VBoxService\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+oobe\\+msoobe\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.subjectUserSid" negate="yes" type="pcre2">(?i)^(?:S\-1\-5\-19)$</field>
    </rule>
    <rule id="900250" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.persistence</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Remote Service Activity via SVCCTL Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.shareName" negate="no" type="pcre2">(?i)^(?:\\+.+\\+IPC\$)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)^(?:svcctl)$</field>
        <field name="win.eventdata.accesses" negate="no" type="pcre2">(?i)WriteData</field>
    </rule>
    <rule id="900251" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1012</id>
        </mitre>
        <description>SysKey Registry Keys Access</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656|4663)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:key)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)(?:lsa\\+JD|lsa\\+GBG|lsa\\+Skew1|lsa\\+Data)$</field>
    </rule>
    <rule id="900252" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Sysmon Channel Reference Deletion</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4657)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)WINEVT\\+Publishers\\+\{5770385f\-c22a\-43e0\-bf4c\-06f5698ffbd9\}|WINEVT\\+Channels\\+Microsoft\-Windows\-Sysmon/Operational</field>
        <field name="win.eventdata.objectValueName" negate="no" type="pcre2">(?i)^(?:Enabled)$</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)^(?:0)$</field>
    </rule>
    <rule id="900253" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Sysmon Channel Reference Deletion</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4663)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)WINEVT\\+Publishers\\+\{5770385f\-c22a\-43e0\-bf4c\-06f5698ffbd9\}|WINEVT\\+Channels\\+Microsoft\-Windows\-Sysmon/Operational</field>
        <field name="win.eventdata.accessMask" negate="no" type="pcre2">(?i)^(?:65536)$</field>
    </rule>
    <rule id="900254" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Tap Driver Installation - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4697)$</field>
        <field name="win.eventdata.serviceFileName" negate="no" type="pcre2">(?i)tap0901</field>
    </rule>
    <rule id="900255" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Suspicious Teams Application Related ObjectAcess Event</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4663)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Teams\\+Cookies|\\+Microsoft\\+Teams\\+Local\ Storage\\+leveldb</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Teams\\+current\\+Teams\.exe</field>
    </rule>
    <rule id="900256" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Transferring Files with Credential Data via Network Shares</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)\\+mimidrv|\\+lsass|\\+windows\\+minidump\\+|\\+hiberfil|\\+sqldmpr|\\+sam|\\+ntds\.dit|\\+security</field>
    </rule>
    <rule id="900257" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1078</id>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>User Added to Local Administrator Group</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4732)$</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:Administr)</field>
        <field name="win.eventdata.targetSid" negate="no" type="pcre2">(?i)^(?:S\-1\-5\-32\-544)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900258" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4673)$</field>
        <field name="win.eventdata.service" negate="no" type="pcre2">(?i)^(?:LsaRegisterLogonProcess)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:0x8010000000000000)</field>
    </rule>
    <rule id="900259" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>Local User Creation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4720)$</field>
    </rule>
    <rule id="900260" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Privileged System Service Operation - SeLoadDriverPrivilege</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4673)$</field>
        <field name="win.eventdata.privilegeList" negate="no" type="pcre2">(?i)^(?:SeLoadDriverPrivilege)$</field>
        <field name="win.eventdata.service" negate="no" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+Dism\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+rundll32\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+fltMC\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+HelpPane\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+mmc\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wimserv\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+RuntimeBroker\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+SystemSettingsBroker\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft)</field>
    </rule>
    <rule id="900261" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1531</id>
        </mitre>
        <description>User Logoff Event</description>
        <options>no_full_log</options>
        <group>security,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4634|4647)$</field>
    </rule>
    <rule id="900262" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>VSSAudit Security Event Source Registration</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.auditSourceName" negate="no" type="pcre2">(?i)^(?:VSSAudit)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4904|4905)$</field>
    </rule>
    <rule id="900263" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusion List Modified</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4657)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+</field>
    </rule>
    <rule id="900264" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusion Reigstry Key - Write Access Requested</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.accessList" negate="no" type="pcre2">(?i)%%4417|%%4418</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4656|4663)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+</field>
    </rule>
    <rule id="900265" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusion Deleted</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4660)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+</field>
    </rule>
    <rule id="900266" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>T1047 Wmiprvse Wbemcomn DLL Hijack</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5145)$</field>
        <field name="win.eventdata.relativeTargetName" negate="no" type="pcre2">(?i)(?:\\+wbem\\+wbemcomn\.dll)$</field>
        <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">(?i)(?:\$)$</field>
    </rule>
    <rule id="900267" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence - Security</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4662)$</field>
        <field name="win.eventdata.objectType" negate="no" type="pcre2">(?i)^(?:WMI\ Namespace)$</field>
        <field name="win.eventdata.objectName" negate="no" type="pcre2">(?i)subscription</field>
    </rule>
    <rule id="900268" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
        </mitre>
        <description>Locked Workstation</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4800)$</field>
    </rule>
    <rule id="900269" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>stp.4u</id>
        </mitre>
        <description>Potential Access Token Abuse</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:9)$</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)^(?:Advapi)$</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)^(?:Negotiate)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:%%1833)</field>
    </rule>
    <rule id="900270" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1078.001</id>
            <id>attack.t1078.002</id>
            <id>attack.t1078.003</id>
            <id>car.2016-04-005</id>
        </mitre>
        <description>Admin User Remote Logon</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:10)$</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)^(?:Negotiate)$</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:Admin)</field>
    </rule>
    <rule id="900271" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>DiagTrackEoP Default Login Username</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:9)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:thisisnotvaliduser)</field>
    </rule>
    <rule id="900272" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A Member Was Added to a Security-Enabled Global Group</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4728|632)$</field>
    </rule>
    <rule id="900273" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A Member Was Removed From a Security-Enabled Global Group</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:633|4729)$</field>
    </rule>
    <rule id="900274" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.s0002</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Successful Overpass the Hash Attempt</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:9)$</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)^(?:seclogo)$</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)^(?:Negotiate)$</field>
    </rule>
    <rule id="900275" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Pass the Hash Activity 2</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.subjectUserSid" negate="no" type="pcre2">(?i)^(?:S\-1\-0\-0)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)^(?:NtLmSsp)$</field>
        <field name="win.eventdata.keyLength" negate="no" type="pcre2">(?i)^(?:0)$</field>
    </rule>
    <rule id="900276" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Pass the Hash Activity 2</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:9)$</field>
        <field name="win.eventdata.logonProcessName" negate="no" type="pcre2">(?i)^(?:seclogo)$</field>
    </rule>
    <rule id="900277" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>Pass the Hash Activity 2</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetUserName" negate="yes" type="pcre2">(?i)^(?:ANONYMOUS\ LOGON)$</field>
    </rule>
    <rule id="900278" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Scanner PoC for CVE-2019-0708 RDP RCE Vuln</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4625)$</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:AAAAAAA)$</field>
    </rule>
    <rule id="900279" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>car.2013-07-002</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>RDP Login from Localhost</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:10)$</field>
        <field name="win.eventdata.ipAddress" negate="no" type="pcre2">(?i)^(?:::1|127\.0\.0\.1)$</field>
    </rule>
    <rule id="900280" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>Remote WMI ActiveScriptEventConsumers</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:scrcons\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:0x3e7)</field>
    </rule>
    <rule id="900281" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>A Security-Enabled Global Group Was Deleted</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4730|634)$</field>
    </rule>
    <rule id="900282" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.credential_access</id>
            <id>attack.t1133</id>
            <id>attack.t1078</id>
            <id>attack.t1110</id>
        </mitre>
        <description>External Remote RDP Logon from Public IP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:10)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
    </rule>
    <rule id="900283" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.credential_access</id>
            <id>attack.t1133</id>
            <id>attack.t1078</id>
            <id>attack.t1110</id>
        </mitre>
        <description>External Remote SMB Logon from Public IP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
    </rule>
    <rule id="900284" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.t1078</id>
            <id>attack.t1190</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Failed Logon From Public IP</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4625)$</field>
        <field name="win.eventdata.ipAddress" negate="yes" type="pcre2">(?i)\-</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
    </rule>
    <rule id="900285" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>KrbRelayUp Attack Pattern</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="win.eventdata.authenticationPackageName" negate="no" type="pcre2">(?i)^(?:Kerberos)$</field>
        <field name="win.eventdata.ipAddress" negate="no" type="pcre2">(?i)^(?:127\.0\.0\.1)$</field>
        <field name="win.eventdata.targetUserSid" negate="no" type="pcre2">(?i)^(?:S\-1\-5\-21\-)</field>
        <field name="win.eventdata.targetUserSid" negate="no" type="pcre2">(?i)(?:\-500)$</field>
    </rule>
    <rule id="900286" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550</id>
        </mitre>
        <description>Outgoing Logon with New Credentials</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:9)$</field>
    </rule>
    <rule id="900287" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>RottenPotato Like Attack Pattern</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.logonType" negate="no" type="pcre2">(?i)^(?:3)$</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:ANONYMOUS\ LOGON)$</field>
        <field name="win.eventdata.workstationName" negate="no" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.ipAddress" negate="no" type="pcre2">(?i)^(?:127\.0\.0\.1|::1)$</field>
    </rule>
    <rule id="900288" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Successful Account Login Via WMI</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:4624)$</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
    </rule>
    <rule id="900289" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Windows Filtering Platform Blocked Connection From EDR Agent Binary</description>
        <options>no_full_log</options>
        <group>windows,security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5157)$</field>
        <field name="win.eventdata.application" negate="no" type="pcre2">(?i)(?:\\+AmSvc\.exe|\\+cb\.exe|\\+CETASvc\.exe|\\+CNTAoSMgr\.exe|\\+CrAmTray\.exe|\\+CrsSvc\.exe|\\+CSFalconContainer\.exe|\\+CSFalconService\.exe|\\+CybereasonAV\.exe|\\+CylanceSvc\.exe|\\+cyserver\.exe|\\+CyveraService\.exe|\\+CyvrFsFlt\.exe|\\+EIConnector\.exe|\\+elastic\-agent\.exe|\\+elastic\-endpoint\.exe|\\+EndpointBasecamp\.exe|\\+ExecutionPreventionSvc\.exe|\\+filebeat\.exe|\\+fortiedr\.exe|\\+hmpalert\.exe|\\+hurukai\.exe|\\+LogProcessorService\.exe|\\+mcsagent\.exe|\\+mcsclient\.exe|\\+MsMpEng\.exe|\\+MsSense\.exe|\\+Ntrtscan\.exe|\\+PccNTMon\.exe|\\+QualysAgent\.exe|\\+RepMgr\.exe|\\+RepUtils\.exe|\\+RepUx\.exe|\\+RepWAV\.exe|\\+RepWSC\.exe|\\+sedservice\.exe|\\+SenseCncProxy\.exe|\\+SenseIR\.exe|\\+SenseNdr\.exe|\\+SenseSampleUploader\.exe|\\+SentinelAgent\.exe|\\+SentinelAgentWorker\.exe|\\+SentinelBrowserNativeHost\.exe|\\+SentinelHelperService\.exe|\\+SentinelServiceHost\.exe|\\+SentinelStaticEngine\.exe|\\+SentinelStaticEngineScanner\.exe|\\+sfc\.exe|\\+sophos\ ui\.exe|\\+sophosfilescanner\.exe|\\+sophosfs\.exe|\\+sophoshealth\.exe|\\+sophosips\.exe|\\+sophosLivequeryservice\.exe|\\+sophosnetfilter\.exe|\\+sophosntpservice\.exe|\\+sophososquery\.exe|\\+sspservice\.exe|\\+TaniumClient\.exe|\\+TaniumCX\.exe|\\+TaniumDetectEngine\.exe|\\+TMBMSRV\.exe|\\+TmCCSF\.exe|\\+TmListen\.exe|\\+TmWSCSvc\.exe|\\+Traps\.exe|\\+winlogbeat\.exe|\\+WSCommunicator\.exe|\\+xagt\.exe)$</field>
    </rule>
    <rule id="900290" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Microsoft Defender Blocked from Loading Unsigned DLL</description>
        <options>no_full_log</options>
        <group>windows,security-mitigations,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:11|12)$</field>
        <field name="win.eventdata.processPath" negate="no" type="pcre2">(?i)(?:\\+MpCmdRun\.exe|\\+NisSrv\.exe)$</field>
    </rule>
    <rule id="900291" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Unsigned Binary Loaded From Suspicious Location</description>
        <options>no_full_log</options>
        <group>windows,security-mitigations,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:11|12)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+PerfLogs\\+|\\+Desktop\\+|\\+Downloads\\+|\\+AppData\\+Local\\+Temp\\+|C:\\+Windows\\+TEMP\\+</field>
    </rule>
    <rule id="900292" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1554</id>
        </mitre>
        <description>HybridConnectionManager Service Running</description>
        <options>no_full_log</options>
        <group>windows,microsoft-servicebus-client,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:40300|40301|40302)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:HybridConnection|sb://|servicebus\.windows\.net|HybridConnectionManage)</field>
    </rule>
    <rule id="900293" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Application Installed</description>
        <options>no_full_log</options>
        <group>windows,shell-core,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:28115)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Zenmap|AnyDesk|wireshark|openvpn</field>
    </rule>
    <rule id="900294" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Application Installed</description>
        <options>no_full_log</options>
        <group>windows,shell-core,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:28115)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)zenmap\.exe|prokzult\ ad|wireshark|openvpn</field>
    </rule>
    <rule id="900295" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.001</id>
        </mitre>
        <description>Suspicious Rejected SMB Guest Logon From IP</description>
        <options>no_full_log</options>
        <group>windows,smbclient-security,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:31017)$</field>
        <field name="win.eventdata.samAccountName" negate="no" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.serverName" negate="no" type="pcre2">(?i)^(?:\\+1)</field>
    </rule>
    <rule id="900296" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Sysmon Application Crashed</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Application\ Popup)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:26)$</field>
        <field name="win.eventdata.caption" negate="no" type="pcre2">(?i)^(?:sysmon64\.exe\ \-\ Application\ Error|sysmon\.exe\ \-\ Application\ Error)$</field>
    </rule>
    <rule id="900297" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.002</id>
        </mitre>
        <description>NTLMv1 Logon Between Client and Server</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:LsaSrv)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:6038|6039)$</field>
    </rule>
    <rule id="900298" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Active Directory Certificate Services Denied Certificate Enrollment Request</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-CertificationAuthority)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:53)$</field>
    </rule>
    <rule id="900299" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DHCP Server Loaded the CallOut DLL</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1033)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-DHCP\-Server)$</field>
    </rule>
    <rule id="900300" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DHCP Server Error Failed Loading the CallOut DLL</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1031|1032|1034)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-DHCP\-Server)$</field>
    </rule>
    <rule id="900301" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Potential CVE-2021-42287 Exploitation Attempt</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Directory\-Services\-SAM)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16990|16991)$</field>
    </rule>
    <rule id="900302" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Local Privilege Escalation Indicator TabTip</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-DistributedCOM)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:10001)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:C:\\+Program\ Files\\+Common\ Files\\+microsoft\ shared\\+ink\\+TabTip\.exe)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:2147943140)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\{054AAE20\-4BEA\-4347\-8A35\-64A533254A9D\})</field>
    </rule>
    <rule id="900303" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:104)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Eventlog)$</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)^(?:Microsoft\-Windows\-PowerShell/Operational)$</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)^(?:Microsoft\-Windows\-Sysmon/Operational)$</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)^(?:PowerShellCore/Operational)$</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)^(?:Security)$</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.channel" negate="yes" type="pcre2">(?i)^(?:Windows\ PowerShell)$</field>
    </rule>
    <rule id="900304" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Important Windows Eventlog Cleared</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:104)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Eventlog)$</field>
        <field name="win.eventdata.channel" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-PowerShell/Operational|Microsoft\-Windows\-Sysmon/Operational|PowerShellCore/Operational|Security|System|Windows\ PowerShell)$</field>
    </rule>
    <rule id="900305" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Certificate Use With No Strong Mapping</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Kerberos\-Key\-Distribution\-Center)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:39|41)$</field>
    </rule>
    <rule id="900306" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>KDC RC4-HMAC Downgrade CVE-2022-37966</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:42)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Kerberos\-Key\-Distribution\-Center)$</field>
        <field name="win.system.level" negate="no" type="pcre2">(?i)^(?:2)$</field>
    </rule>
    <rule id="900307" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>No Suitable Encryption Key Found For Generating Kerberos Ticket</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Kerberos\-Key\-Distribution\-Center)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16|27)$</field>
    </rule>
    <rule id="900308" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Critical Hive In Suspicious Location Access Bits Cleared</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Kernel\-General)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Temp\\+SAM|\\+Temp\\+SECURITY</field>
    </rule>
    <rule id="900309" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Volume Shadow Copy Mount</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-Ntfs)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:98)$</field>
        <field name="win.eventdata.deviceName" negate="no" type="pcre2">(?i)HarddiskVolumeShadowCopy</field>
    </rule>
    <rule id="900310" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Usage of CVE_2021_34484 or CVE 2022_21919</description>
        <options>no_full_log</options>
        <group>windows,application,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1511)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-User\ Profiles\ Service)$</field>
    </rule>
    <rule id="900311" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.resource_development</id>
            <id>attack.t1584</id>
        </mitre>
        <description>Windows Update Error</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Microsoft\-Windows\-WindowsUpdateClient)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16|20|24|213|217)$</field>
    </rule>
    <rule id="900312" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1210</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>Zerologon Exploitation Using Well-known Tools</description>
        <options>no_full_log</options>
        <group>system,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5805|5723)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:kali|mimikatz)</field>
    </rule>
    <rule id="900313" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>Vulnerable Netlogon Secure Channel Connection Allowed</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:NetLogon)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5829)$</field>
    </rule>
    <rule id="900314" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1499.001</id>
        </mitre>
        <description>NTFS Vulnerability Exploitation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Ntfs)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:55)$</field>
        <field name="win.eventdata.origin" negate="no" type="pcre2">(?i)^(?:File\ System\ Driver)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)contains\ a\ corrupted\ file\ record</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)The\ name\ of\ the\ file\ is\ "\\+"</field>
    </rule>
    <rule id="900315" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)ADMIN\$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\.exe</field>
    </rule>
    <rule id="900316" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)%COMSPEC%</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900317" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell\ \-nop\ \-w\ hidden\ \-encodedcommand</field>
    </rule>
    <rule id="900318" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>CobaltStrike Service Installations - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">IEX\ $New\-Object\ Net\.Webclient$\.DownloadString\('http://127\.0\.0\.1:</field>
    </rule>
    <rule id="900319" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Threat Detection Disabled - Service</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7036)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:Windows\ Defender\ Antivirus\ Service|Service\ antivirus\ Microsoft\ Defender)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:stopped|arrГЄtГ©)</field>
    </rule>
    <rule id="900320" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.execution</id>
            <id>attack.t1021.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>smbexec.py Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:BTOBTO)$</field>
    </rule>
    <rule id="900321" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.execution</id>
            <id>attack.t1021.002</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>smbexec.py Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\.bat\ \&amp;\ del\ |__output\ 2\^&gt;\^\&amp;1\ &gt;</field>
    </rule>
    <rule id="900322" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)clipboard\]::</field>
    </rule>
    <rule id="900323" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)"set</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="900324" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)readtoend</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i):system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
    </rule>
    <rule id="900325" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900326" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)environment|invoke|input</field>
    </rule>
    <rule id="900327" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\(Clipboard\|i</field>
    </rule>
    <rule id="900328" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)vbscript:createobject</field>
    </rule>
    <rule id="900329" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900330" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\&amp;\&amp;set</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\{0\}|\{1\}|\{2\}|\{3\}|\{4\}|\{5\}</field>
    </rule>
    <rule id="900331" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>KrbRelayUp Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:KrbSCM)$</field>
    </rule>
    <rule id="900332" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
            <id>attack.t1569.002</id>
            <id>attack.s0005</id>
        </mitre>
        <description>Credential Dumping Tools Service Execution - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cachedump|dumpsvc|fgexec|gsecdump|mimidrv|pwdump|servpw</field>
    </rule>
    <rule id="900333" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\\+pipe\\+</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)cmd|%COMSPEC%</field>
    </rule>
    <rule id="900334" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\.dll,a</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)/p:</field>
    </rule>
    <rule id="900335" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Meterpreter or Cobalt Strike Getsystem Service Installation - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)^(?:\\+127\.0\.0\.1\\+ADMIN\$\\+)</field>
    </rule>
    <rule id="900336" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Moriya Rootkit - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:ZzNetSvc)$</field>
    </rule>
    <rule id="900337" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PowerShell Scripts Installed as Services</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)powershell|pwsh</field>
    </rule>
    <rule id="900338" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Anydesk Remote Access Software Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:AnyDesk\ Service)$</field>
    </rule>
    <rule id="900339" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>HackTool Service Registration or Execution</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045|7036)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)cachedump|DumpSvc|gsecdump|pwdump|UACBypassedService|WCE\ SERVICE|WCESERVICE|winexesvc</field>
    </rule>
    <rule id="900340" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>HackTool Service Registration or Execution</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045|7036)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)bypass</field>
    </rule>
    <rule id="900341" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>ProcessHacker Privilege Elevation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:ProcessHacker)</field>
        <field name="win.eventdata.targetUserName" negate="no" type="pcre2">(?i)^(?:LocalSystem)$</field>
    </rule>
    <rule id="900342" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Remote Access Tool Services Have Been Installed - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045|7036)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)AmmyyAdmin|Atera|BASupportExpressSrvcUpdater|BASupportExpressStandaloneService|chromoting|GoToAssist|GoToMyPC|jumpcloud|LMIGuardianSvc|LogMeIn|monblanking|Parsec|RManService|RPCPerformanceService|RPCService|SplashtopRemoteService|SSUService|TeamViewer|TightVNC|vncserver|Zoho</field>
    </rule>
    <rule id="900343" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Sliver C2 Default Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)^[a-zA-Z]:\\+windows\\+temp\\+[a-zA-Z0-9]{10}\.exe</field>
    </rule>
    <rule id="900344" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Sliver C2 Default Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:Sliver|Sliver\ implant)$</field>
    </rule>
    <rule id="900345" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>Service Installed By Unusual Client - System</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.processId" negate="no" type="pcre2">(?i)^(?:0)$</field>
    </rule>
    <rule id="900346" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ \-nop\ |\ \-sta\ |\ \-w\ hidden\ |:\\+Temp\\+|\.downloadfile\(|\.downloadstring\(|\\+ADMIN\$\\+|\\+Perflogs\\+|\&amp;\&amp;</field>
    </rule>
    <rule id="900347" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Tap Driver Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)tap0901</field>
    </rule>
    <rule id="900348" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Uncommon Service Installation Image Path</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\\+\.\\+pipe|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900349" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Uncommon Service Installation Image Path</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ aQBlAHgA|\ aWV4I|\ IAB|\ JAB|\ PAA|\ SQBFAFgA|\ SUVYI</field>
        <field name="win.eventdata.imagePath" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Definition\ Updates\\+)</field>
    </rule>
    <rule id="900350" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Uncommon Service Installation Image Path</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\ aQBlAHgA|\ aWV4I|\ IAB|\ JAB|\ PAA|\ SQBFAFgA|\ SUVYI</field>
        <field name="win.eventdata.imagePath" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+TEMP\\+thor10\-remote\\+thor64\.exe)</field>
    </rule>
    <rule id="900351" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Windows Service Terminated With Error</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7023)$</field>
    </rule>
    <rule id="900352" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>RTCore Suspicious Service Installation</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.serviceName" negate="no" type="pcre2">(?i)^(?:RTCore64)$</field>
    </rule>
    <rule id="900353" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>car.2013-09-005</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Service Installation in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:Service\ Control\ Manager)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:7045)$</field>
        <field name="win.eventdata.imagePath" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+127\.0\.0\.1|\\+localhost</field>
        <field name="win.eventdata.serviceName" negate="yes" type="pcre2">(?i)^(?:Zoom\ Sharing\ Service)$</field>
        <field name="win.eventdata.imagePath" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Common\ Files\\+Zoom\\+Support\\+CptService\.exe</field>
    </rule>
    <rule id="900354" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Potential RDP Exploit CVE-2019-0708</description>
        <options>no_full_log</options>
        <group>windows,system,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:56|50)$</field>
        <field name="win.eventdata.providerName" negate="no" type="pcre2">(?i)^(?:TermDD)$</field>
    </rule>
    <rule id="900355" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Scheduled Task Executed From A Suspicious Location</description>
        <options>no_full_log</options>
        <group>windows,taskscheduler,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:129)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)C:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Users\\+Public\\+|C:\\+Temp\\+</field>
    </rule>
    <rule id="900356" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Scheduled Task Executed Uncommon LOLBIN</description>
        <options>no_full_log</options>
        <group>windows,taskscheduler,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:129)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+mspaint\.exe|\\+notepad\.exe|\\+regsvr32\.exe|\\+wscript\.exe)</field>
    </rule>
    <rule id="900357" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Important Scheduled Task Deleted</description>
        <options>no_full_log</options>
        <group>windows,taskscheduler,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:141)$</field>
        <field name="win.eventdata.taskName" negate="no" type="pcre2">(?i)\\+Windows\\+SystemRestore\\+SR|\\+Windows\\+Windows\ Defender\\+|\\+Windows\\+BitLocker|\\+Windows\\+WindowsBackup\\+|\\+Windows\\+WindowsUpdate\\+|\\+Windows\\+UpdateOrchestrator\\+|\\+Windows\\+ExploitGuard</field>
        <field name="win.eventdata.samAccountName" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.samAccountName" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="900358" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>Ngrok Usage with Remote Desktop Service</description>
        <options>no_full_log</options>
        <group>windows,terminalservices-localsessionmanager,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:21)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)16777216</field>
    </rule>
    <rule id="900359" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Grace Period Expired</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5101)$</field>
    </rule>
    <rule id="900360" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Access Detected via Attack Surface Reduction</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1121)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+asgard2\-agent\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+atiesrxx\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+CompatTelRunner\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+nvwmi64\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+Taskmgr\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+msiexec\.exe)$</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+DriverStore\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+Installer\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.processName" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900361" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1047</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PSExec and WMI Process Creations Block</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1121)$</field>
        <field name="win.eventdata.processName" negate="no" type="pcre2">(?i)(?:\\+wmiprvse\.exe|\\+psexesvc\.exe)$</field>
    </rule>
    <rule id="900362" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusions Added</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5007)$</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions</field>
    </rule>
    <rule id="900363" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exploit Guard Tamper</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5007)$</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Windows\ Defender\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+AllowedApplications\\+</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+PerfLogs\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900364" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exploit Guard Tamper</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5007)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Windows\ Defender\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+ProtectedFolders\\+</field>
    </rule>
    <rule id="900365" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Submit Sample Feature Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5007)$</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)\\+Real\-Time\ Protection\\+SubmitSamplesConsent\ =\ 0x0</field>
    </rule>
    <rule id="900366" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Windows Defender Malware Detection History Deletion</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1013)$</field>
    </rule>
    <rule id="900367" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Malware And PUA Scanning Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5010)$</field>
    </rule>
    <rule id="900368" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Defender AMSI Trigger Detected</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1116)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:AMSI)</field>
    </rule>
    <rule id="900369" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Real-time Protection Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5001)$</field>
    </rule>
    <rule id="900370" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Real-Time Protection Failure/Restart</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:3002|3007)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:%%886)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:%%892)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:%%858)</field>
    </rule>
    <rule id="900371" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Win Defender Restored Quarantine File</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1009)$</field>
    </rule>
    <rule id="900372" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Configuration Changes</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5007)$</field>
        <field name="win.eventdata.newValue" negate="no" type="pcre2">(?i)(?:\\+Windows\ Defender\\+DisableAntiSpyware\ |\\+Windows\ Defender\\+Scan\\+DisableRemovableDriveScanning\ |\\+Windows\ Defender\\+Scan\\+DisableScanningMappedNetworkDrivesForFullScan\ |\\+Windows\ Defender\\+SpyNet\\+DisableBlockAtFirstSeen\ |\\+Real\-Time\ Protection\\+SpyNetReporting\ )</field>
    </rule>
    <rule id="900373" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Defender Tamper Protection Trigger</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5013)$</field>
        <field name="win.evendata.value" negate="no" type="pcre2">(?i)(?:\\+Windows\ Defender\\+DisableAntiSpyware|\\+Windows\ Defender\\+DisableAntiVirus|\\+Windows\ Defender\\+Scan\\+DisableArchiveScanning|\\+Windows\ Defender\\+Scan\\+DisableScanningNetworkFiles|\\+Real\-Time\ Protection\\+DisableRealtimeMonitoring|\\+Real\-Time\ Protection\\+DisableBehaviorMonitoring|\\+Real\-Time\ Protection\\+DisableIOAVProtection|\\+Real\-Time\ Protection\\+DisableScriptScanning)$</field>
    </rule>
    <rule id="900374" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Defender Threat Detected</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:1006|1015|1116|1117)$</field>
    </rule>
    <rule id="900375" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Virus Scanning Feature Disabled</description>
        <options>no_full_log</options>
        <group>windows,windefend,</group>
        <if_sid>60005</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5012)$</field>
    </rule>
    <rule id="900376" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence</description>
        <options>no_full_log</options>
        <group>windows,wmi,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5861)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:ActiveScriptEventConsumer|CommandLineEventConsumer|CommandLineTemplate)</field>
    </rule>
    <rule id="900377" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence</description>
        <options>no_full_log</options>
        <group>windows,wmi,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5861)$</field>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:5859)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:SCM\ Event\ Provider)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:select\ .+\ from\ MSFT_SCMEventLogEvent)</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)^(?:S\-1\-5\-32\-544)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Permanent)</field>
    </rule>
    <rule id="900378" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1055.012</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.t1218.005</id>
        </mitre>
        <description>HackTool - CACTUSTORCH Remote Thread Creation</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+System32\\+cscript\.exe|\\+System32\\+wscript\.exe|\\+System32\\+mshta\.exe|\\+winword\.exe|\\+excel\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)\\+SysWOW64\\+</field>
        <field name="win.eventdata.startModule" negate="no" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900379" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055.001</id>
        </mitre>
        <description>HackTool - Potential CobaltStrike Process Injection</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.startAddress" negate="no" type="pcre2">(?i)(?:0B80|0C7C|0C88)$</field>
    </rule>
    <rule id="900380" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.005</id>
        </mitre>
        <description>Remote Thread Created In KeePass.EXE</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+KeePass\.exe)$</field>
    </rule>
    <rule id="900381" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
        </mitre>
        <description>Remote Thread Creation In Mstsc.Exe From Suspicious Location</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i):\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+PerfLogs\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
    </rule>
    <rule id="900382" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Attempt Via PowerShell Remote Thread</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
    </rule>
    <rule id="900383" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218.011</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Remote Thread Creation Via PowerShell In Uncommon Target</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+regsvr32\.exe)$</field>
    </rule>
    <rule id="900384" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.s0005</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Password Dumper Remote Thread in LSASS</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.startModule" negate="no" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="900385" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Rare Remote Thread Creation By Uncommon Source Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+cscript\.exe|\\+cvtres\.exe|\\+defrag\.exe|\\+dnx\.exe|\\+esentutl\.exe|\\+excel\.exe|\\+expand\.exe|\\+find\.exe|\\+findstr\.exe|\\+forfiles\.exe|\\+gpupdate\.exe|\\+hh\.exe|\\+installutil\.exe|\\+lync\.exe|\\+makecab\.exe|\\+mDNSResponder\.exe|\\+monitoringhost\.exe|\\+msbuild\.exe|\\+mshta\.exe|\\+mspaint\.exe|\\+outlook\.exe|\\+ping\.exe|\\+provtool\.exe|\\+python\.exe|\\+regsvr32\.exe|\\+robocopy\.exe|\\+runonce\.exe|\\+sapcimc\.exe|\\+smartscreen\.exe|\\+spoolsv\.exe|\\+tstheme\.exe|\\+userinit\.exe|\\+vssadmin\.exe|\\+vssvc\.exe|\\+w3wp\.exe|\\+winscp\.exe|\\+winword\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="900386" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Remote Thread Creation By Uncommon Source Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+iexplore\.exe|\\+msiexec\.exe|\\+powerpnt\.exe|\\+schtasks\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+winlogon\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+services\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wininit\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+LogonUI\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+winlogon\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:4)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+schtasks\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+schtasks\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+conhost\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
    </rule>
    <rule id="900387" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Remote Thread Creation By Uncommon Source Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+iexplore\.exe|\\+msiexec\.exe|\\+powerpnt\.exe|\\+schtasks\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+internet\ explorer\\+iexplore\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)https://</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\.checkpoint\.com/documents/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)SmartConsole_OLH/</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)default\.htm\#cshid=</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+internet\ explorer\\+iexplore\.exe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+CheckPoint\\+SmartConsole\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)\\+SmartConsole\.exe</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+POWERPNT\.EXE)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
    </rule>
    <rule id="900388" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.003</id>
        </mitre>
        <description>Remote Thread Creation In Uncommon Target Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+calculator\.exe|\\+mspaint\.exe|\\+notepad\.exe|\\+ping\.exe|\\+sethc\.exe|\\+spoolsv\.exe|\\+wordpad\.exe|\\+write\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
    </rule>
    <rule id="900389" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.003</id>
        </mitre>
        <description>Remote Thread Creation In Uncommon Target Image</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+calculator\.exe|\\+mspaint\.exe|\\+notepad\.exe|\\+ping\.exe|\\+sethc\.exe|\\+spoolsv\.exe|\\+wordpad\.exe|\\+write\.exe)$</field>
        <field name="win.eventdata.startFunction" negate="yes" type="pcre2">(?i)^(?:EtwpNotificationThread)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)unknown\ process</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+VMware\\+VMware\ Tools\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.startFunction" negate="yes" type="pcre2">(?i)^(?:GetCommandLineW)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+notepad\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Xerox\\+XeroxPrintExperience\\+CommonFiles\\+XeroxPrintJobEventManagerService\.exe)$</field>
        <field name="win.eventdata.startFunction" negate="yes" type="pcre2">(?i)^(?:LoadLibraryW)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+spoolsv\.exe)$</field>
    </rule>
    <rule id="900390" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Remote Thread Creation Ttdinject.exe Proxy</description>
        <options>no_full_log</options>
        <group>windows,create_remote_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+ttdinject\.exe)$</field>
    </rule>
    <rule id="900391" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.s0139</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Hidden Executable In NTFS Alternate Data Stream</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=</field>
        <field name="win.eventdata.hashes" negate="yes" type="pcre2">(?i)IMPHASH=00000000000000000000000000000000</field>
    </rule>
    <rule id="900392" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Creation Of a Suspicious ADS File Outside a Browser Download</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\[ZoneTransfer\]\ \ ZoneId=3)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::Zone\.Identifier)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.exe|\.scr|\.bat|\.cmd|\.docx|\.hta|\.jse|\.lnk|\.pptx|\.ps|\.reg|\.sct|\.vb|\.wsc|\.wsf|\.xlsx</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.ScreenSketch_)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SnippingTool\\+SnippingTool\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Packages\\+Microsoft\.ScreenSketch_</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+TempState\\+Screenshot\ )</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.png:Zone\.Identifier)$</field>
    </rule>
    <rule id="900393" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.s0139</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>HackTool Named File Stream Created</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:bcca3c247b619dcd13c8cdff5f123932|3a19059bd7688cb88e70005f18efc439|bf6223a49e45d99094406777eb6004ba|0c106686a31bfe2ba931ae1cf6e9dbc6|0d1447d4b3259b3c2a1d4cfb7ece13c3|1b0369a1e06271833f78ffa70ffb4eaf|4c1b52a19748428e51b14c278d0f58e3|4d927a711f77d62cebd4f322cb57ec6f|66ee036df5fc1004d9ed5e9a94a1086a|672b13f4a0b6f27d29065123fe882dfc|6bbd59cea665c4afcc2814c1327ec91f|725bb81dc24214f6ecacc0cfb36ad30d|9528a0e91e28fbb88ad433feabca2456|9da6d5d77be11712527dcab86df449a3|a6e01bc1ab89f8d91d9eab72032aae88|b24c5eddaea4fe50c6a96a2a133521e4|d21bbc50dcc169d7b4d0f01962793154|fcc251cceae90d22c392215cc9a2d5d6|23867a89c2b8fc733be6cf5ef902f2d1|a37ff327f8d48e8a4d2f757e1b6e70bc|f9a28c458284584a93b14216308d31bd|6118619783fc175bc7ebecff0769b46e|959a83047e80ab68b368fdb3f4c6e4ea|563233bfa169acc7892451f71ad5850a|87575cb7a0e0700eb37f2e3668671a08|13f08707f759af6003837a150a371ba1|1781f06048a7e58b323f0b9259be798b|233f85f2d4bc9d6521a6caae11a1e7f5|24af2584cbf4d60bbe5c6d1b31b3be6d|632969ddf6dbf4e0f53424b75e4b91f2|713c29b396b907ed71a72482759ed757|749a7bb1f0b4c4455949c0b2bf7f9e9f|8628b2608957a6b0c6330ac3de28ce2e|8b114550386e31895dfab371e741123d|94cb940a1a6b65bed4d5a8f849ce9793|9d68781980370e00e0bd939ee5e6c141|b18a1401ff8f444056d29450fbc0a6ce|cb567f9498452721d77a451374955f5f|730073214094cd328547bf1f72289752|17b461a082950fc6332228572138b80c|dc25ee78e2ef4d36faa0badf1e7461c9|819b19d53ca6736448f9325a85736792|829da329ce140d873b4a8bde2cbfaa7e|c547f2e66061a8dffb6f5a3ff63c0a74|0588081ab0e63ba785938467e1b10cca|0d9ec08bac6c07d9987dfd0f1506587c|bc129092b71c89b4d4c8cdf8ea590b29|4da924cf622d039d58bce71cdf05d242|e7a3a5c377e2d29324093377d7db1c66|9a9dbec5c62f0380b4fa5fd31deffedf|af8a3976ad71e5d5fdfb67ddb8dadfce|0c477898bbf137bbd6f2a54e3b805ff4|0ca9f02b537bcea20d4ea5eb1a9fe338|3ab3655e5a14d4eefc547f4781bf7f9e|e6f9d5152da699934b30daab206471f6|3ad59991ccf1d67339b319b15a41b35d|ffdd59e0318b85a3e480874d9796d872|0cf479628d7cc1ea25ec7998a92f5051|07a2d4dcbd6cb2c6a45e6b101f0b6d51|d6d0f80386e1380d05cb78e871bc72b1|38d9e015591bbfd4929e0d0f47fa0055|0e2216679ca6e1094d63322e3412d650|ada161bf41b8e5e9132858cb54cab5fb|2a1bc4913cd5ecb0434df07cb675b798|11083e75553baae21dc89ce8f9a195e4|a23d29c9e566f2fa8ffbb79267f5df80|4a07f944a83e8a7c2525efa35dd30e2f|767637c23bb42cd5d7397cf58b0be688|14c4e4c72ba075e9069ee67f39188ad8|3c782813d4afce07bbfc5a9772acdbdc|7d010c6bb6a3726f327f7e239166d127|89159ba4dd04e4ce5559f132a9964eb3|6f33f4a5fc42b8cec7314947bd13f30f|5834ed4291bdeb928270428ebbaf7604|5a8a8a43f25485e7ee1b201edcbc7a38|dc7d30b90b2d8abf664fbed2b1b59894|41923ea1f824fe63ea5beb84db7a3e74|3de09703c8e79ed2ca3f01074719906b|a53a02b997935fd8eedcb5f7abab9b9f|e96a73c7bf33a464c510ede582318bf2|32089b8851bbf8bc2d014e9f37288c83|09D278F9DE118EF09163C6140255C690|03866661686829d806989e2fc5a72606|e57401fbdadcd4571ff385ab82bd5d6d|84B763C45C0E4A3E7CA5548C710DB4EE|19584675d94829987952432e018d5056|330768a4f172e10acb6287b87289d83b|885c99ccfbe77d1cbfcb9c4e7c1a3313|22a22bc9e4e0d2f189f1ea01748816ac|7fa30e6bb7e8e8a69155636e50bf1b28|96df3a3731912449521f6f8d183279b1|7e6cf3ff4576581271ac8a313b2aab46|51791678f351c03a0eb4e2a7b05c6e17|25ce42b079282632708fc846129e98a5|021bcca20ba3381b11bdde26b4e62f20|59223b5f52d8799d38e0754855cbdf42|81e75d8f1d276c156653d3d8813e4a43|17244e8b6b8227e57fe709ccad421420|5b76da3acdedc8a5cdf23a798b5936b4|cb2b65bb77d995cc1c0e5df1c860133c|40445337761d80cf465136fafb1f63e6|8a790f401b29fa87bc1e56f7272b3aa6)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932|IMPHASH=3A19059BD7688CB88E70005F18EFC439|IMPHASH=bf6223a49e45d99094406777eb6004ba|IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6|IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3|IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF|IMPHASH=4C1B52A19748428E51B14C278D0F58E3|IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F|IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A|IMPHASH=672B13F4A0B6F27D29065123FE882DFC|IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F|IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D|IMPHASH=9528A0E91E28FBB88AD433FEABCA2456|IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3|IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88|IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4|IMPHASH=D21BBC50DCC169D7B4D0F01962793154|IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6|IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1|IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC|IMPHASH=F9A28C458284584A93B14216308D31BD|IMPHASH=6118619783FC175BC7EBECFF0769B46E|IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA|IMPHASH=563233BFA169ACC7892451F71AD5850A|IMPHASH=87575CB7A0E0700EB37F2E3668671A08|IMPHASH=13F08707F759AF6003837A150A371BA1|IMPHASH=1781F06048A7E58B323F0B9259BE798B|IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5|IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D|IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2|IMPHASH=713C29B396B907ED71A72482759ED757|IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F|IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E|IMPHASH=8B114550386E31895DFAB371E741123D|IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793|IMPHASH=9D68781980370E00E0BD939EE5E6C141|IMPHASH=B18A1401FF8F444056D29450FBC0A6CE|IMPHASH=CB567F9498452721D77A451374955F5F|IMPHASH=730073214094CD328547BF1F72289752|IMPHASH=17B461A082950FC6332228572138B80C|IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9|IMPHASH=819B19D53CA6736448F9325A85736792|IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E|IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74|IMPHASH=0588081AB0E63BA785938467E1B10CCA|IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C|IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29|IMPHASH=4DA924CF622D039D58BCE71CDF05D242|IMPHASH=E7A3A5C377E2D29324093377D7DB1C66|IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF|IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE|IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4|IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338|IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E|IMPHASH=E6F9D5152DA699934B30DAAB206471F6|IMPHASH=3AD59991CCF1D67339B319B15A41B35D|IMPHASH=FFDD59E0318B85A3E480874D9796D872|IMPHASH=0CF479628D7CC1EA25EC7998A92F5051|IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51|IMPHASH=D6D0F80386E1380D05CB78E871BC72B1|IMPHASH=38D9E015591BBFD4929E0D0F47FA0055|IMPHASH=0E2216679CA6E1094D63322E3412D650|IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB|IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798|IMPHASH=11083E75553BAAE21DC89CE8F9A195E4|IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80|IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F|IMPHASH=767637C23BB42CD5D7397CF58B0BE688|IMPHASH=14C4E4C72BA075E9069EE67F39188AD8|IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC|IMPHASH=7D010C6BB6A3726F327F7E239166D127|IMPHASH=89159BA4DD04E4CE5559F132A9964EB3|IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F|IMPHASH=5834ED4291BDEB928270428EBBAF7604|IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38|IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894|IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74|IMPHASH=3DE09703C8E79ED2CA3F01074719906B|IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F|IMPHASH=E96A73C7BF33A464C510EDE582318BF2|IMPHASH=32089B8851BBF8BC2D014E9F37288C83|IMPHASH=09D278F9DE118EF09163C6140255C690|IMPHASH=03866661686829d806989e2fc5a72606|IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d|IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE|IMPHASH=19584675D94829987952432E018D5056|IMPHASH=330768A4F172E10ACB6287B87289D83B|IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313|IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC|IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28|IMPHASH=96DF3A3731912449521F6F8D183279B1|IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46|IMPHASH=51791678F351C03A0EB4E2A7B05C6E17|IMPHASH=25CE42B079282632708FC846129E98A5|IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20|IMPHASH=59223B5F52D8799D38E0754855CBDF42|IMPHASH=81E75D8F1D276C156653D3D8813E4A43|IMPHASH=17244E8B6B8227E57FE709CCAD421420|IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4|IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C|IMPHASH=40445337761D80CF465136FAFB1F63E6|IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6</field>
    </rule>
    <rule id="900394" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Exports Registry Key To an Alternate Data Stream</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regedit\.exe)$</field>
    </rule>
    <rule id="900395" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Unusual File Download from Direct IP Address</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.ps1:Zone|\.bat:Zone|\.exe:Zone|\.vbe:Zone|\.vbs:Zone|\.dll:Zone|\.one:Zone|\.cmd:Zone|\.hta:Zone|\.xll:Zone|\.lnk:Zone</field>
    </rule>
    <rule id="900396" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Suspicious Winget Package Installation</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\[ZoneTransfer\]\ \ ZoneId=3)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)://1|://2|://3|://4|://5|://6|://7|://8|://9</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::Zone\.Identifier)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+WinGet\\+</field>
    </rule>
    <rule id="900397" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious File Download From ZIP TLD</description>
        <options>no_full_log</options>
        <group>windows,create_stream_hash,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\.zip/</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.bat:Zone|\.dat:Zone|\.dll:Zone|\.doc:Zone|\.docm:Zone|\.exe:Zone|\.hta:Zone|\.pptm:Zone|\.ps1:Zone|\.rar:Zone|\.rtf:Zone|\.sct:Zone|\.vbe:Zone|\.vbs:Zone|\.ws:Zone|\.wsf:Zone|\.xll:Zone|\.xls:Zone|\.xlsm:Zone|\.zip:Zone</field>
    </rule>
    <rule id="900398" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query for Anonfiles.com Domain - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.anonfiles\.com</field>
    </rule>
    <rule id="900399" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>AppX Package Installation Attempts Via AppInstaller.EXE</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.DesktopAppInstaller_)</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppInstaller\.exe)$</field>
    </rule>
    <rule id="900400" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Cloudflared Tunnels Related DNS Requests</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.v2\.argotunnel\.com|protocol\-v2\.argotunnel\.com|trycloudflare\.com|update\.argotunnel\.com)$</field>
    </rule>
    <rule id="900401" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>DNS Query To Devtunnels Domain</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.devtunnels\.ms)$</field>
    </rule>
    <rule id="900402" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
        </mitre>
        <description>DNS Server Discovery Via LDAP Query</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:_ldap\.)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:&lt;unknown\ process&gt;)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900403" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
        </mitre>
        <description>DNS Server Discovery Via LDAP Query</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:_ldap\.)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WindowsAzure\\+GuestAgent)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
    </rule>
    <rule id="900404" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1554</id>
        </mitre>
        <description>DNS HybridConnectionManager Service Bus</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)servicebus\.windows\.net</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)HybridConnectionManager</field>
    </rule>
    <rule id="900405" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:aaa\.stage\.|post\.1)</field>
    </rule>
    <rule id="900406" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>Suspicious Cobalt Strike DNS Beaconing - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.stage\.123456\.</field>
    </rule>
    <rule id="900407" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To MEGA Hosting Website</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)userstorage\.mega\.co\.nz</field>
    </rule>
    <rule id="900408" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1056</id>
        </mitre>
        <description>DNS Query Request To OneLaunch Update Service</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:update\.onelaunch\.com)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OneLaunch\.exe)$</field>
    </rule>
    <rule id="900409" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>DNS Query Request By Regsvr32.EXE</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
    </rule>
    <rule id="900410" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>DNS Query To Remote Access Software Domain From Non-Browser App</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:agent\.jumpcloud\.com|agentreporting\.atera\.com|ammyy\.com|api\.parsec\.app|api\.playanext\.com|api\.splashtop\.com|app\.atera\.com|assist\.zoho\.com|authentication\.logmeininc\.com|beyondtrustcloud\.com|cdn\.kaseya\.net|client\.teamviewer\.com|comserver\.corporate\.beanywhere\.com|control\.connectwise\.com|downloads\.zohocdn\.com|dwservice\.net|express\.gotoassist\.com|getgo\.com|integratedchat\.teamviewer\.com|join\.zoho\.com|kickstart\.jumpcloud\.com|license\.bomgar\.com|logmein\-gateway\.com|logmein\.com|logmeincdn\.http\.internapcdn\.net|n\-able\.com|net\.anydesk\.com|netsupportsoftware\.com|parsecusercontent\.com|pubsub\.atera\.com|relay\.kaseya\.net|relay\.screenconnect\.com|relay\.splashtop\.com|remotedesktop\-pa\.googleapis\.com|remoteutilities\.com|secure\.logmeinrescue\.com|services\.vnc\.com|static\.remotepc\.com|swi\-rc\.com|swi\-tc\.com|telemetry\.servers\.qetqo\.com|tmate\.io|zohoassist\.com)$</field>
    </rule>
    <rule id="900411" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>DNS Query To Remote Access Software Domain From Non-Browser App</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.rustdesk\.com)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:rs\-)</field>
    </rule>
    <rule id="900412" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>DNS Query To Remote Access Software Domain From Non-Browser App</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsSense\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+BraveSoftware\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Maxthon\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+Opera\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Vivaldi\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Tor\ Browser\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Waterfox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+midori\-ng\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Midori\ Next\ Generation\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+slimbrowser\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Flock\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Flock\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Phoebe\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Phoebe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+falkon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+avant\.exe)$</field>
    </rule>
    <rule id="900413" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1590</id>
        </mitre>
        <description>Suspicious DNS Query for IP Lookup Service APIs</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:www\.ip\.cn|l2\.io)$</field>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)api\.2ip\.ua|api\.bigdatacloud\.net|api\.ipify\.org|bot\.whatismyipaddress\.com|canireachthe\.net|checkip\.amazonaws\.com|checkip\.dyndns\.org|curlmyip\.com|db\-ip\.com|edns\.ip\-api\.com|eth0\.me|freegeoip\.app|geoipy\.com|getip\.pro|icanhazip\.com|ident\.me|ifconfig\.io|ifconfig\.me|ip\-api\.com|ip\.360\.cn|ip\.anysrc\.net|ip\.taobao\.com|ip\.tyk\.nu|ipaddressworld\.com|ipapi\.co|ipconfig\.io|ipecho\.net|ipinfo\.io|ipip\.net|ipof\.in|ipv4\.icanhazip\.com|ipv4bot\.whatismyipaddress\.com|ipv6\-test\.com|ipwho\.is|jsonip\.com|myexternalip\.com|seeip\.org|wgetip\.com|whatismyip\.akamai\.com|whois\.pconline\.com\.cn|wtfismyip\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900414" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>TeamViewer Domain Query By Non-TeamViewer Application</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)^(?:taf\.teamviewer\.com|udp\.ping\.teamviewer\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)TeamViewer</field>
    </rule>
    <rule id="900415" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.003</id>
        </mitre>
        <description>DNS Query Tor .Onion Address - Sysmon</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)\.onion</field>
    </rule>
    <rule id="900416" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>DNS Query To Ufile.io</description>
        <options>no_full_log</options>
        <group>windows,dns_query,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)ufile\.io</field>
    </rule>
    <rule id="900417" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>DNS Query To Visual Studio Code Tunnels Domain</description>
        <options>no_full_log</options>
        <group>dns_query,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.queryName" negate="no" type="pcre2">(?i)(?:\.tunnels\.api\.visualstudio\.com)$</field>
    </rule>
    <rule id="900418" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Malicious Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=5be61a24f50eb4c94d98b8a82ef58dcf|MD5=d70a80fc73dd43469934a7b1cc623c76|MD5=3b71eab204a5f7ed77811e41fed73105|MD5=528ce5ce19eb34f401ef024de7ddf222|MD5=ae548418b491cd3f31618eb9e5730973|MD5=72f53f55898548767e0276c472be41e8|MD5=508faa4647f305a97ed7167abc4d1330|MD5=ed2b653d55c03f0bffa250372d682b75|MD5=0d2ba47286f1c68e87622b3a16bf9d92|MD5=3164bd6c12dd0fe1bdf3b833d56323b9|MD5=70fd7209ce5c013a1f9e699b5cc86cdc|MD5=c71be7b112059d2dc84c0f952e04e6cc|MD5=acac842a46f3501fe407b1db1b247a0b|MD5=01c2e4d8234258451083d6ce4e8910b7|MD5=c8541a9cef64589593e999968a0385b9|MD5=e172a38ade3aa0a2bc1bf9604a54a3b5|MD5=6fcf56f6ca3210ec397e55f727353c4a|MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16|MD5=07056573d464b0f5284f7e3acedd4a3f|MD5=c7b7f1edb9bbef174e6506885561d85d|MD5=d5918d735a23f746f0e83f724c4f26e5|MD5=84763d8ca9fe5c3bff9667b2adf667de|MD5=fb593b1f1f80d20fc7f4b818065c64b6|MD5=909f3fc221acbe999483c87d9ead024a|MD5=e29f6311ae87542b3d693c1f38e4e3ad|MD5=aeb0801f22d71c7494e884d914446751|MD5=3f11a94f1ac5efdd19767c6976da9ba4|MD5=be6318413160e589080df02bb3ca6e6a|MD5=0b311af53d2f4f77d30f1aed709db257|MD5=d075d56dfce6b9b13484152b1ef40f93|MD5=27384ec4c634701012a2962c30badad2|MD5=5eb2c576597dd21a6b44557c237cf896|MD5=f56db4eba3829c0918413b5c0b42f00f|MD5=e27b2486aa5c256b662812b465b6036c|MD5=db86dfd7aefbb5be6728a63461b0f5f3|MD5=04a88f5974caa621cee18f34300fc08a|MD5=5129d8fd53d6a4aba81657ab2aa5d243|MD5=cd2c641788d5d125c316ed739c69bb59|MD5=7073cd0085fcba1cd7d3568f9e6d652c|MD5=24f0f2b4b3cdae11de1b81c537df41c7|MD5=88bea56ae9257b40063785cf47546024|MD5=63060b756377fce2ce4ab9d079ca732f|MD5=50b39072d0ee9af5ef4824eca34be6e3|MD5=57c18a8f5d1ba6d015e4d5bc698e3624|MD5=7d26985a5048bad57d9c223362f3d55c|MD5=ba54a0dbe2685e66e21d41b4529b3528|MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11|MD5=b52f51bbe6b49d0b475d943c29c4d4cb|MD5=a837302307dace2a00d07202b661bce2|MD5=78a122d926ccc371d60c861600c310f3|MD5=bdb305aa0806f8b38b7ce43c927fe919|MD5=27053e964667318e1b370150cbca9138|MD5=6a4fbcfb44717eae2145c761c1c99b6a|MD5=d13c1b76b4a1ca3ff5ab63678b51df6d|MD5=6a066d2be83cf83f343d0550b0b8f206|MD5=7108b0d4021af4c41de2c223319cd4c1|MD5=1cd158a64f3d886357535382a6fdad75|MD5=e939448b28a4edc81f1f974cebf6e7d2|MD5=4198d3db44d7c4b3ba9072d258a4fc2d|MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20|MD5=30ca3cc19f001a8f12c619daa8c6b6e3|MD5=fe9004353b25640f6a879e57f07122d7|MD5=06c7fcf3523235cf52b3eee083ec07b2|MD5=364605ad21b9275681cffef607fac273|MD5=968ddb06af90ef83c5f20fbdd4eee62e|MD5=ba50bd645d7c81416bb26a9d39998296|MD5=29e03f4811b64969e48a99300978f58c|MD5=b0770094c3c64250167b55e4db850c04|MD5=40b968ecdbe9e967d92c5da51c390eee|MD5=b6b530dd25c5eb66499968ec82e8791e|MD5=f209cb0e468ca0b76d879859d5c8c54e|MD5=76f8607fc4fb9e828d613a7214436b66|MD5=4b058945c9f2b8d8ebc485add1101ba5|MD5=faae7f5f69fde12303dd1c0c816b72b7|MD5=89d294ef7fefcdf1a6ca0ab96a856f57|MD5=ef0e1725aaf0c6c972593f860531a2ea|MD5=bbdbffebfc753b11897de2da7c9912a5|MD5=5ebfc0af031130ba9de1d5d3275734b3|MD5=22949977ce5cd96ba674b403a9c81285|MD5=77cfd3943cc34d9f5279c330cd8940bc|MD5=311de109df18e485d4a626b5dbe19bc6|MD5=2730cc25ad385acc7213a1261b21c12d|MD5=87dc81ebe85f20c1a7970e495a778e60|MD5=154b45f072fe844676e6970612fd39c7|MD5=5a4fe297c7d42539303137b6d75b150d|MD5=d6a1dd7b2c06f058b408b3613c13d413|MD5=a6e9d6505f6d2326a8a9214667c61c67|MD5=7fad9f2ef803496f482ce4728578a57a|MD5=5076fba3d90e346fd17f78db0a4aa12c|MD5=79df0eabbf2895e4e2dae15a4772868c|MD5=14580bd59c55185115fd3abe73b016a2|MD5=1f2888e57fdd6aee466962c25ba7d62d|MD5=5e9231e85cecfc6141e3644fda12a734|MD5=dc564bac7258e16627b9de0ce39fae25|MD5=4e4c068c06331130334f23957fca9e3c|MD5=1ee9f6326649cd23381eb9d7dfdeddf7|MD5=4e1f656001af3677856f664e96282a6f|MD5=36f44643178c505ea0384e0fb241e904|MD5=6b480fac7caca2f85be9a0cfe79aedfc|MD5=c1ab425977d467b64f437a6c5ad82b44|MD5=fe508caa54ffeb2285d9f00df547fe4a|MD5=d3af70287de8757cebc6f8d45bb21a20|MD5=990b949894b7dc82a8cf1131b063cb1a|MD5=c62209b8a5daf3f32ad876ad6cefda1b|MD5=c159fb0f345a8771e56aab8e16927361|MD5=19b15eeccab0752c6793f782ca665a45|MD5=1d51029dfbd616bf121b40a0d1efeb10|MD5=157a22689629ec876337f5f9409918d5|MD5=3dd829fb27353622eff34be1eabb8f18|MD5=8636fe3724f2bcba9399daffd6ef3c7e|MD5=3d0b3e19262099ade884b75ba86ca7e8|MD5=97539c78d6e2b5356ce79e40bcd4d570|MD5=0308b6888e0f197db6704ca20203eee4|MD5=091a6bd4880048514c5dd3bede15eba5|MD5=7e92f98b809430622b04e88441b2eb04|MD5=bb5bda8889d8d27ef984dbd6ad82c946|MD5=b76aee508f68b5b6dccd6e1f66f4cf8b|MD5=a822b9e6eedf69211013e192967bf523|MD5=df52f8a85eb64bc69039243d9680d8e4|MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a|MD5=44857ca402a15ab51dc5afe47abdfa44|MD5=f9844524fb0009e5b784c21c7bad4220|MD5=d34b218c386bfe8b1f9c941e374418d7|MD5=0ca010a32a9b0aeae1e46d666b83b659|MD5=93496a436c5546156a69deb255a9fed0|MD5=1cd5e231064e03c596e819b6ff48daf9|MD5=70a71fe86df717ac59dbf856d7ac5789|MD5=a33089d4e50f7d2ea8b52ca95d26ebf3|MD5=e0cc9b415d884f85c45be145872892b8|MD5=a42249a046182aaaf3a7a7db98bfa69d|MD5=c5ae6ca044bd03c3506c132b033be1dc|MD5=7ebe606acd81abf1f8cb0767c974164b|MD5=b5dcc869a91efcc6e8ea0c3c07605d63|MD5=62c18d61ed324088f963510bae43b831|MD5=093a2a635c3a27aac50efd6463f4efa1|MD5=28102acca39ad0199f262ba9958be3f4|MD5=650ef9dd70cb192027e536754d6e0f63|MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44|MD5=6771b13a53b9c7449d4891e427735ea2|MD5=072ba2309b825ce1dba37d8d924ea8ed|MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb|MD5=1325ec39e98225e487b40043faee8052|MD5=4484f4007de2c3ee4581a2cff77ca3b4|MD5=a236e7d654cd932b7d11cb604629a2d0|MD5=17509f0a98dc5c5d52c3f9ac1428a21b|MD5=840a5edf2534dd23a082cf7b28cbfc4d|MD5=77a7ed4798d02ef6636cd0fd07fc382a|MD5=a9df5964635ef8bd567ae487c3d214c4|MD5=8b75047199825c8e62fdcc1c915db8bd|MD5=d416494232c4197cb36a914df2e17677|MD5=4cf14a96485a1270fed97bb8000e4f86|MD5=35e512f9bedc89dca5ce81f35820714c|MD5=40f35792e7565aa047796758a3ce1b77|MD5=f7f31bccc9b7b2964ac85106831022b1|MD5=26aedc10d4215ba997495d3a68355f4a|MD5=10f3679384a03cb487bda9621ceb5f90|MD5=80219fb6b5954c33e16bac5ecdac651b|MD5=cee36b5c6362993fa921435979bfbe4a|MD5=e37a08f516b8a7ca64163f5d9e68fe5a|MD5=49518f7375a5f995ebe9423d8f19cfe4|MD5=920df6e42cf91bbe19707f5a86e3c5c5|MD5=2ec877e425bd7eddb663627216e3491e|MD5=550b7991d93534bc510bc4f237155a7a|MD5=98d53f6b3bec0a3417a04fbb9e17fa06|MD5=13a57a4ef721440c7c9208b51f7c05de|MD5=c5fc3605194e033bdf3781ff2adaeb61|MD5=6e625ec04c20a9dbd48c7060efbf5e92|MD5=0b9b78d1281c7d4ab50497cf6ea7452a|MD5=4e906fcb13e2793c98f47291fd69391b|MD5=2bb353891d65c9e267eb98a3a2b694c3|MD5=7d86cdda7f49f91fdb69901a002b34e7|MD5=f69b06ca7c34d16f26ea1c6861edf62a|MD5=ee6b1a79cb6641aa44c762ee90786fe0|MD5=1fc7aeeff3ab19004d2e53eae8160ab1|MD5=24d3ea54f25e32832ac20335a1ce1062|MD5=c94f405c5929cfcccc8ad00b42c95083|MD5=b164daf106566f444dfb280d743bc2f7|MD5=93130909e562925597110a617f05e2a9|MD5=f589d4bf547c140b6ec8a511ea47c658|MD5=bf445ac375977ecf551bc2a912c58e8a|MD5=629ee55e4b5a225d048fbcd5f0a1d18b|MD5=0023ca0ca16a62d93ef51f3df98b2f94|MD5=a3d69c7e24300389b56782aa63b0e357|MD5=cbd8d370462503508e44dba023bdf9bc|MD5=67daa04716803a15fc11c9e353d77c2f|MD5=c9d4214c850e0cedf033dc8f0cd3aace|MD5=bd5b0514f3b40f139d8079138d01b5f6|MD5=19bdd9b799e3c2c54c0d7fff68b31c20|MD5=f242cffd9926c0ccf94af3bf16b6e527|MD5=5aeab9427d85951def146b4c0a44fc63|MD5=40170485cca576adb5266cf5b0d3b0bd|MD5=c277c4386a78fae1b7e17eaecf4f472b|MD5=58c37866cbc3d1338e4fc58ada924ffe|MD5=0f16a43f7989034641fd2de3eb268bf1|MD5=0ae30291c6cbfa7be39320badd6e8de0|MD5=05dd59bd4f175304480affd8f1305c37|MD5=f838f4eb36f1e7036238776c7a70f0b0|MD5=85093bb9f027027c2c61aee50796de30|MD5=ae338d91d1b05a72559b7f6ed717362d|MD5=bd91787b5dcb2189b856804e85dfa1d9|MD5=6b3c1511e12f4d27a4ea3b18020d7b84|MD5=97264fd62d4907bdac917917a07b3b7a|MD5=6ececf26ff8b03ed7ffbddadec9a9dab|MD5=47e6ac52431ca47da17248d80bf71389|MD5=eb57f03b7603f0b235af62e8cd5be8c2|MD5=e1a9aa4c14669b1fb1f67a7266f87e82|MD5=29047f0b7790e524b09a06852d31a117|MD5=4dd6250eb2d368f500949952eb013964|MD5=fb7c61ef427f9b2fdff3574ee6b1819b|MD5=844af8c877f5da723c1b82cf6e213fc1|MD5=e39152eadd76751b1d7485231b280948|MD5=ac6e29f535b2c42999c50d2fc32f2c9c|MD5=2406ea37152d2154be3fef6d69ada2c6|MD5=0ea8389589c603a8b05146bd06020597|MD5=754e21482baf18b8b0ed0f4be462ba03|MD5=c4a517a02ba9f6eac5cf06e3629cc076|MD5=32282e07db321e8d7849f2287bb6a14f|MD5=32b67a6cd6dd998b9f563ed13d54a8bc|MD5=3359e1d4244a7d724949c63e89689ef8|MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0|MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6|MD5=a90236e4962620949b720f647a91f101|MD5=ccde8c94439f9fc9c42761e4b9a23d97|MD5=68caf620ef8deaf06819cf8c80d3367b|MD5=5fec28e8f4f76e5ede24beb32a32b9d7|MD5=e8eac6642b882a6196555539149c73f2|MD5=aa98b95f5cbae8260122de06a215ee10|MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80|MD5=abc168fdca7169bf9dc40cec9761018d|MD5=7f9309f5e4defec132b622fadbcad511|MD5=4748696211bd56c2d93c21cab91e82a5|MD5=48394dce30bb8da5ae089cb8f41b86dc|MD5=65f800e1112864bf41eb815649f428d5|MD5=bd25be845c151370ff177509d95d5add|MD5=a37ed7663073319d02f2513575a22995|MD5=2c39f6172fbc967844cac12d7ab2fa55|MD5=491aec2249ad8e2020f9f9b559ab68a8|MD5=1e0eb80347e723fa31fce2abb0301d44|MD5=a26363e7b02b13f2b8d697abb90cd5c3|MD5=4118b86e490aed091b1a219dba45f332|MD5=6d131a7462e568213b44ef69156f10a5|MD5=10c2ea775c9e76e7774ab89e38f38287|SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79|SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23|SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe|SHA1=af42afda54d150810a60baa7987f9f09d49d1317|SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7|SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462|SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7|SHA1=e730eb971ecb493b69de2308b6412836303f733a|SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca|SHA1=5fef884a901e81ac173d63ade3f5c51694decf74|SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc|SHA1=6451522b1fb428e549976d0742df5034f8124b17|SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a|SHA1=cc65bf60600b64feece5575f21ab89e03a728332|SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166|SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a|SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3|SHA1=c42178977bd7bbefe084da0129ed808cb7266204|SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333|SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee|SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837|SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf|SHA1=7638c048af5beae44352764390deea597cc3e7b1|SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5|SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2|SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87|SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e|SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d|SHA1=505546d82aab56889a923004654b9afdec54efe6|SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a|SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383|SHA1=844d7bcd1a928d340255ff42971cca6244a459bf|SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f|SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684|SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e|SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84|SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285|SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6|SHA1=607387cc90b93d58d6c9a432340261fde846b1d9|SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07|SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6|SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6|SHA1=b8b123a413b7bccfa8433deba4f88669c969b543|SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509|SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22|SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d|SHA1=a111dc6ae5575977feba71ee69b790e056846a02|SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3|SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2|SHA1=0de86ec7d7f16a3680df89256548301eed970393|SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2|SHA1=0883a9c54e8442a551994989db6fc694f1086d41|SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16|SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10|SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09|SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c|SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39|SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c|SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f|SHA1=994dc79255aeb662a672a1814280de73d405617a|SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1|SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5|SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b|SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61|SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9|SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7|SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b|SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd|SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2|SHA1=17fa047c1f979b180644906fe9265f21af5b0509|SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3|SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a|SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048|SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f|SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b|SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527|SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130|SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d|SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1|SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a|SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08|SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec|SHA1=73bac306292b4e9107147db94d0d836fdb071e33|SHA1=9382981b05b1fb950245313992444bfa0db5f881|SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3|SHA1=9c36600c2640007d3410dea8017573a113374873|SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb|SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7|SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab|SHA1=cb25a5125fb353496b59b910263209f273f3552d|SHA1=a5f1b56615bdaabf803219613f43671233f2001c|SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38|SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7|SHA1=632c80a3c95cf589b03812539dea59594eaefae0|SHA1=e6966e360038be3b9d8c9b2582eba4e263796084|SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab|SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51|SHA1=80e4808a7fe752cac444676dbbee174367fa2083|SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0|SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2|SHA1=3825ebb0b0664b5f0789371240f65231693be37d|SHA1=de9469a5d01fb84afd41d176f363a66e410d46da|SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b|SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff|SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5|SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358|SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405|SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8|SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2|SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed|SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe|SHA1=9481cd590c69544c197b4ee055056302978a7191|SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da|SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b|SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5|SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4|SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25|SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc|SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457|SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d|SHA1=f6793243ad20359d8be40d3accac168a15a327fb|SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1|SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8|SHA1=10115219e3595b93204c70eec6db3e68a93f3144|SHA1=161bae224cf184ed6c09c77fae866d42412c6d25|SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82|SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d|SHA1=745335bcdf02fb42df7d890a24858e16094f48fd|SHA1=2a202830db58d5e942e4f6609228b14095ed2cab|SHA1=0167259abd9231c29bec32e6106ca93a13999f90|SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167|SHA1=613a9df389ad612a5187632d679da11d60f6046a|SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514|SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86|SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d|SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb|SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812|SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528|SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3|SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d|SHA1=552730553a1dea0290710465fb8189bdd0eaad42|SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35|SHA1=07f282db28771838d0e75d6618f70d76acfe6082|SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e|SHA1=22c9da04847c26188226c3a345e2126ef00aa19e|SHA1=43501832ce50ccaba2706be852813d51de5a900f|SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542|SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde|SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc|SHA1=928b5971a0f7525209d599e2ef15c31717047022|SHA1=b5696e2183d9387776820ef3afa388200f08f5a6|SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2|SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3|SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774|SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945|SHA1=064de88dbbea67c149e779aac05228e5405985c7|SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7|SHA1=98130128685c8640a8a8391cb4718e98dd8fe542|SHA1=a5914161f8a885702427cf75443fb08d28d904f0|SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad|SHA1=fff4f28287677caabc60c8ab36786c370226588d|SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5|SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2|SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda|SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4|SHA1=87e20486e804bfff393cc9ad9659858e130402a2|SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c|SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9|SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a|SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0|SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b|SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6|SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b|SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c|SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a|SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed|SHA1=76568d987f8603339b8d1958f76de2b957811f66|SHA1=e841c8494b715b27b33be6f800ca290628507aba|SHA1=b555aad38df7605985462f3899572931ee126259|SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1|SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327|SHA1=bb6ef5518df35d9508673d5011138add8c30fc27|SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b|SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307|SHA1=34b677fba9dcab9a9016332b3332ce57f5796860|SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d|SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e|SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2|SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72|SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5|SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a|SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef|SHA1=18693de1487c55e374b46a7728b5bf43300d4f69|SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98|SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c|SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5|SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8|SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c|SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196|SHA1=e42bd2f585c00a1d6557df405246081f89542d15|SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9|SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd|SHA1=948368fe309652e8d88088d23e1df39e9c2b6649|SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d|SHA1=1f25f54e9b289f76604e81e98483309612c5a471|SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d|SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d|SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09|SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f|SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652|SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad|SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c|SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a|SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b|SHA1=d02403f85be6f243054395a873b41ef8a17ea279|SHA1=4da007dd298723f920e194501bb49bab769dfb14|SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a|SHA1=221717a48ee8e2d19470579c987674f661869e17|SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa|SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56|SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375|SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3|SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe|SHA1=6d09d826581baa1817be6fbd44426db9b05f1909|SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e|SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631|SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997|SHA1=0320534df24a37a245a0b09679a5adb27018fb5f|SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0|SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef|SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202|SHA1=062457182ab08594c631a3f897aeb03c6097eb77|SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25|SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670|SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e|SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5|SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b|SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739|SHA1=020580278d74d0fe741b0f786d8dca7554359997|SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677|SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4|SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7|SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d|SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f|SHA1=c257aa4094539719a3c7b7950598ef872dbf9518|SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49|SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e|SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c|SHA1=86f34eaea117f629297218a4d196b5729e72d7b9|SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0|SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7|SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8|SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb|SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a|SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb|SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d|SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2|SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a|SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212|SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b|SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac|SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1|SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76|SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421|SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316|SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47|SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03|SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c|SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553|SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87|SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330|SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852|SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304|SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931|SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d|SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c|SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736|SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830|SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104|SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a|SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a|SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a|SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0|SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392|SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd|SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee|SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01|SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254|SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231|SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39|SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d|SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1|SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae|SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4|SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50|SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9|SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212|SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25|SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09|SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1|SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99|SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae|SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475|SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2|SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c|SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb|SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db|SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2|SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c|SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b|SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c|SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217|SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597|SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37|SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4|SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376|SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a|SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e|SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a|SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25|SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be|SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7|SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a|SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c|SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987|SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f|SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad|SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e|SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5|SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b|SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa|SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972|SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a|SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46|SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f|SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4|SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8|SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6|SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21|SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894|SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd|SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62|SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e|SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff|SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b|SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870|SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640|SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530|SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd|SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550|SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9|SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b|SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c|SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988|SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875|SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263|SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4|SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280|SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9|SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12|SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe|SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b|SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f|SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a|SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719|SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908|SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de|SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc|SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a|SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427|SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653|SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919|SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad|SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920|SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77|SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e|SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105|SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2|SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa|SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112|SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4|SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff|SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3|SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925|SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6|SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878|SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59|SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66|SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280|SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7|SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167|SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a|SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7|SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec|SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620|SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f|SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905|SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3|SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b|SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab|SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc|SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968|SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28|SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0|SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93|SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12|SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8|SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895|SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3|SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f|SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be|SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8|SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f|SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe|SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4|SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5|SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af|SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40|SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6|SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d|SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a|SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96|SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497|SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2|SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce|SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96|SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576|SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80|SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266|SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724|SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee|SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b|SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f|SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e|SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1|SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952|SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da|SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e|SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463|SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7|SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0|SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1|SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9|SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a|SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85|SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac|SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873|SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7|SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38|SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c|SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c|SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524|SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51|SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df|SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601|SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7|SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3|SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19|SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55|SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe|SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85|SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1|SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06|SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c|SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3|SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55|SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778|SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6|SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6|SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43|SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3|SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7|SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715|SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434|SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0|SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f|SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327|SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d|SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021|SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4|SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15|SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f|SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2|SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677|SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d|SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d|SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f|SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57|SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc|SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c|SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35|SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440|IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7|IMPHASH=7641a0c227f0a3a45b80bb8af43cd152|IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c|IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d|IMPHASH=beceab354c66949088c9e5ed1f1ff2a4|IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626|IMPHASH=420625b024fba72a24025defdf95b303|IMPHASH=65ccc2c578a984c31880b6c5e65257d3|IMPHASH=e717abe060bc5c34925fe3120ac22f45|IMPHASH=41113a3a832353963112b94f4635a383|IMPHASH=3866dd9fe63de457bdbf893bf7050ddf|IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4|IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca|IMPHASH=c9a6e83d931286d1604d1add8403e1e5|IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372|IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f|IMPHASH=8e35c9460537092672b3c7c14bccc7e0|IMPHASH=7bf14377888c429897eb10a85f70266c|IMPHASH=b351627263648b1d220bb488e7ec7202|IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a|IMPHASH=a7bd820fa5b895fab06f20739c9f24b8|IMPHASH=be0dd8b8e045356d600ee55a64d9d197|IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8|IMPHASH=6c8d5c79a850eecc2fb0291cebda618d|IMPHASH=c32d9a9af7f702814e1368c689877f3a|IMPHASH=6b387c029257f024a43a73f38afb2629|IMPHASH=df43355c636583e56e92142dcc69cc58|IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd|IMPHASH=c214aac08575c139e48d04f5aee21585|IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7|IMPHASH=059c6bd84285f4960e767f032b33f19b|IMPHASH=a09170ef09c55cdca9472c02cb1f2647|IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a|IMPHASH=0262d4147f21d681f8519ab2af79283f|IMPHASH=832219eb71b8bdb771f1d29d27b0acf4|IMPHASH=514298d18002920ee5a917fc34426417|IMPHASH=26ceec6572c630bdad60c984e51b7da4|IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90|IMPHASH=4b47f6031c558106eee17655f8f8a32f|IMPHASH=a6c4a7369500900fc172f9557cff22cf|IMPHASH=3b49942ec6cef1898e97f741b2b5df8a|IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511|IMPHASH=27f6dc8a247a22308dd1beba5086b302|IMPHASH=7d017945bf90936a6c40f73f91ed02c2|IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97|IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e|IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9|IMPHASH=87fd2b54ed568e2294300e164b8c46f7|IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a|IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff|IMPHASH=2a008187d4a73284ddcc43f1b727b513|IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127|IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4|IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4|IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771</field>
    </rule>
    <rule id="900419" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Malicious Driver Load By Name</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wfshbr64\.sys|\\+ktmutil7odm\.sys|\\+ktes\.sys|\\+a26363e7b02b13f2b8d697abb90cd5c3\.sys|\\+kt2\.sys|\\+4748696211bd56c2d93c21cab91e82a5\.sys|\\+malicious\.sys|\\+a236e7d654cd932b7d11cb604629a2d0\.sys|\\+spwizimgvt\.sys|\\+c94f405c5929cfcccc8ad00b42c95083\.sys|\\+fur\.sys|\\+wantd\.sys|\\+windbg\.sys|\\+4118b86e490aed091b1a219dba45f332\.sys|\\+gmer64\.sys|\\+1fc7aeeff3ab19004d2e53eae8160ab1\.sys|\\+poortry2\.sys|\\+wintapix\.sys|\\+daxin_blank6\.sys|\\+6771b13a53b9c7449d4891e427735ea2\.sys|\\+blacklotus_driver\.sys|\\+air_system10\.sys|\\+dkrtk\.sys|\\+7\.sys|\\+sense5ext\.sys|\\+ktgn\.sys|\\+ndislan\.sys|\\+nlslexicons0024uvn\.sys|\\+be6318413160e589080df02bb3ca6e6a\.sys|\\+4\.sys|\\+wantd_2\.sys|\\+e29f6311ae87542b3d693c1f38e4e3ad\.sys|\\+daxin_blank3\.sys|\\+gftkyj64\.sys|\\+daxin_blank2\.sys|\\+wantd_4\.sys|\\+reddriver\.sys|\\+834761775\.sys|\\+mlgbbiicaihflrnh\.sys|\\+mjj0ge\.sys|\\+daxin_blank\.sys|\\+daxin_blank5\.sys|\\+poortry1\.sys|\\+msqpq\.sys|\\+mimidrv\.sys|\\+e939448b28a4edc81f1f974cebf6e7d2\.sys|\\+prokiller64\.sys|\\+nodedriver\.sys|\\+wantd_3\.sys|\\+lctka\.sys|\\+kapchelper_x64\.sys|\\+daxin_blank4\.sys|\\+a9df5964635ef8bd567ae487c3d214c4\.sys|\\+wantd_6\.sys|\\+ntbios\.sys|\\+wantd_5\.sys|\\+pciecubed\.sys|\\+mimikatz\.sys|\\+nqrmq\.sys|\\+2\.sys|\\+poortry\.sys|\\+ntbios_2\.sys|\\+fgme\.sys|\\+telephonuafy\.sys|\\+typelibde\.sys|\\+daxin_blank1\.sys|\\+ef0e1725aaf0c6c972593f860531a2ea\.sys|\\+5a4fe297c7d42539303137b6d75b150d\.sys)$</field>
    </rule>
    <rule id="900420" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>cve.2021.21551</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+kprocesshacker\.sys)$</field>
    </rule>
    <rule id="900421" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>cve.2021.21551</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=821D74031D3F625BCBD0DF08B70F1E77|IMPHASH=F86759BB4DE4320918615DC06E998A39|IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18|IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0</field>
    </rule>
    <rule id="900422" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>cve.2021.21551</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:821D74031D3F625BCBD0DF08B70F1E77|F86759BB4DE4320918615DC06E998A39|0A64EEB85419257D0CE32BD5D55C3A18|6E7B34DFC017700B1517B230DF6FF0D0)$</field>
    </rule>
    <rule id="900423" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+SystemInformer\.sys)$</field>
    </rule>
    <rule id="900424" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24|SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454|SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D|SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B|SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D|SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34|SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89|SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB|SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B|SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97|SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656|SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4|SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138</field>
    </rule>
    <rule id="900425" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24|a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454|38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d|a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b|4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d|3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34|047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89|18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb|b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b|640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97|251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656|e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4|3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138)$</field>
    </rule>
    <rule id="900426" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_susp_temp_use.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Driver Load From A Temporary Directory</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Temp\\+</field>
    </rule>
    <rule id="900427" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=c996d7971c49252c582171d9380360f2|MD5=da7e98b23b49b7293ee06713032c74f6|MD5=9496585198d726000ea505abc39dbfe9|MD5=649ff59b8e571c1fc6535b31662407aa|MD5=4429f85e2415742c7cf8c9f54905c4b9|MD5=a610cd4c762b5af8575285dafb9baa8f|MD5=d5e76d125d624f8025d534f49e3c4162|MD5=9c8fffef24fc480917236f9a20b80a47|MD5=65b979bcab915c3922578fe77953d789|MD5=598f8fb2317350e5f90b7bd16baf5738|MD5=6691e873354f1914692df104718eebad|MD5=4814205270caa80d35569eee8081838e|MD5=7f9128654c3def08c28e0e13efff0fee|MD5=ce952204558ea66ec1a9632dcbdde8bd|MD5=0c0195c48b6b8582fa6f6373032118da|MD5=370a4ca29a7cf1d6bc0744afc12b236c|MD5=67e03f83c503c3f11843942df32efe5a|MD5=8a70921638ff82bb924456deadcd20e6|MD5=8a212a246b3c41f3ddce5888aaaaacd6|MD5=a346417e9ae2c17a8fbf73302eeb611d|MD5=d4f7c14e92b36c341c41ae93159407dd|MD5=748cf64b95ca83abc35762ad2c25458f|MD5=79ab228766c76cfdf42a64722821711e|MD5=ce67e51b8c0370d1bfe421b79fa8b656|MD5=25190f667f31318dd9a2e36383d5709f|MD5=1f263a57c5ef46c8577744ecb32c9548|MD5=c6cfa2d6e4c443e673c2c12417ea3001|MD5=cceb3a7e3bd0203c807168b393a65a74|MD5=56b54823a79a53747cbe11f8c4db7b1e|MD5=988dabdcf990b134b0ac1e00512c30c4|MD5=09e77d71d626574e6142894caca6e6dd|MD5=c832a4313ff082258240b61b88efa025|MD5=44499d3cab387aa78a4a6eca2ac181fb|MD5=6ff59faea912903af0ba8e80e58612bc|MD5=7461f0f9b931044a9d5f1d44eb4e8e09|MD5=08bac71557df8a9b1381c8c165f64520|MD5=fea9319d67177ed6f36438d2bd9392fb|MD5=6dd82d91f981893be57ff90101a7f7f1|MD5=d4119a5cb07ce945c6549eae74e39731|MD5=cf1113723e3c1c71af80d228f040c198|MD5=0e625b7a7c3f75524e307b160f8db337|MD5=6e1faeee0ebfcb384208772410fe1e86|MD5=58a92520dda53166e322118ee0503364|MD5=916ba55fc004b85939ee0cc86a5191c5|MD5=f16b44cca74d3c3645e4c0a6bb5c0cb9|MD5=db2fc89098ac722dabe3c37ed23de340|MD5=6f5cf7feb9bb8108b68f169b8e625ffe|MD5=d2588631d8aae2a3e54410eaf54f0679|MD5=72acbdd8fac58b71b301980eab3ebfc8|MD5=9cc757a18b86408efc1ce3ed20cbcdac|MD5=230fd3749904ca045ea5ec0aa14006e9|MD5=79329e2917623181888605bc5b302711|MD5=3e4a1384a27013ab7b767a88b8a1bd34|MD5=bafd6bad121e42f940a0b8abc587eadf|MD5=02a1d77ef13bd41cad04abcce896d0b9|MD5=de331f863627dc489f547725d7292bbd|MD5=29122f970a9e766ef01a73e0616d68b3|MD5=2b8814cff6351c2b775387770053bdec|MD5=332db70d2c5c332768ab063ba6ac8433|MD5=40f39a98fb513411dacdfc5b2d972206|MD5=644d687c9f96c82ea2974ccacd8cd549|MD5=825703c494e0d270f797f1ecf070f698|MD5=afae2a21e36158f5cf4f76f896649c75|MD5=dd050e79c515e4a6d1ae36cac5545025|MD5=6133e1008f8c6fc32d4b1a60941bab85|MD5=0e2fc7e7f85c980eb698b9e468c20366|MD5=94c80490b02cc655d2d80597c3aef08f|MD5=4d487f77be4471900d6ccbc47242cc25|MD5=2e3dbb01b282a526bdc3031e0663c41c|MD5=93a23503e26773c27ed1da06bb79e7a4|MD5=ffd0c87d9bf894af26823fbde94c71b6|MD5=a86150f2e29b35369afa2cafd7aa9764|MD5=6126065af2fc2639473d12ee3c0c198e|MD5=c1d3a6bb423739a5e781f7eee04c9cfd|MD5=f0db5af13c457a299a64cf524c64b042|MD5=e5e8ecb20bc5630414707295327d755e|MD5=659a59d7e26b7730361244e12201378e|MD5=8f47af49c330c9fcf3451ad2252b9e04|MD5=dd9596c18818288845423c68f3f39800|MD5=a7d3ebfb3843ee28d9ca18b496bd0eb2|MD5=20125794b807116617d43f02b616e092|MD5=46cae59443ae41f4dbb42e050a9b501a|MD5=21e13f2cb269defeae5e1d09887d47bb|MD5=5bab40019419a2713298a5c9173e5d30|MD5=7314c2bc19c6608d511ef36e17a12c98|MD5=24061b0958874c1cb2a5a8e9d25482d4|MD5=31a4631d77b2357ac9618e2a60021f11|MD5=130c5aec46bdec8d534df7222d160fdb|MD5=592065b29131af32aa18a9e546be9617|MD5=2d64d681d79e0d26650928259530c075|MD5=1ce19950e23c975f677b80ff59d04fae|MD5=318e309e11199ec69d8928c46a4d901b|MD5=d78a29306f42d42cd48ad6bc6c6a7602|MD5=6a094d8e4b00dd1d93eb494099e98478|MD5=0be80db5d9368fdb29fe9d9bfdd02e7c|MD5=ba23266992ad964eff6d358d946b76bd|MD5=560069dc51d3cc7f9cf1f4e940f93cae|MD5=a785b3bc4309d2eb111911c1b55e793f|MD5=ac591a3b4df82a589edbb236263ec70a|MD5=a664904f69756834049e9e272abb6fea|MD5=19f32bf24b725f103f49dc3fa2f4f0bd|MD5=2509a71a02296aa65a3428ddfac22180|MD5=9988fc825675d4d3e2298537fc78e303|MD5=dab9142dc12480bb39f25c9911df6c6c|MD5=2c47725db0c5eb5c2ecc32ff208bceb6|MD5=bdfe1f0346c066971e1f3d96f7fdaa2c|MD5=7644bed8b74dc294ac77bf406df8ad77|MD5=9ade14e58996a6abbfe2409d6cddba6a|MD5=5212e0957468d3f94d90fa7a0f06b58f|MD5=96e10a2904fff9491762a4fb549ad580|MD5=0c55128c301921ce71991a6d546756ad|MD5=97e90c869b5b0f493b833710931c39ed|MD5=f36b8094c2fbf57f99870bfaeeacb25c|MD5=b3d6378185356326fd8ee4329b0b7698|MD5=9321a61a25c7961d9f36852ecaa86f55|MD5=f758e7d53184faab5bc51f751937fa36|MD5=1f7b2a00fe0c55d17d1b04c5e0507970|MD5=239224202ccdea1f09813a70be8413ee|MD5=996ded363410dfd38af50c76bd5b4fbc|MD5=0fc2653b1c45f08ca0abd1eb7772e3c0|MD5=79b8119b012352d255961e76605567d6|MD5=2e1f8a2a80221deb93496a861693c565|MD5=697bbd86ee1d386ae1e99759b1e38919|MD5=ddc2ffe0ab3fcd48db898ab13c38d88d|MD5=2971d4ee95f640d2818e38d8877c8984|MD5=962a33a191dbe56915fd196e3a868cf0|MD5=7575b35fee4ec8dbd0a61dbca3b972e3|MD5=2d7f1c02b94d6f0f3e10107e5ea8e141|MD5=057ec65bac5e786affeb97c0a0d1db15|MD5=483abeee17e4e30a760ec8c0d6d31d6d|MD5=f23b2adcfab58e33872e5c2d0041ad88|MD5=2601cf769ad6ffee727997679693f774|MD5=b4598c05d5440250633e25933fff42b0|MD5=2e5f016ff9378be41fe98fa62f99b12d|MD5=75d6c3469347de1cdfa3b1b9f1544208|MD5=828bb9cb1dd449cd65a29b18ec46055f|MD5=1bd38ac06ef8709ad23af666622609c9|MD5=e747f164fc89566f934f9ec5627cd8c3|MD5=a01c412699b6f21645b2885c2bae4454|MD5=a216803d691d92acc44ac77d981aa767|MD5=112b4a6d8c205c1287c66ad0009c3226|MD5=68dde686d6999ad2e5d182b20403240b|MD5=2d854c6772f0daa8d1fde4168d26c36b|MD5=9a9dbf5107848c254381be67a4c1b1dd|MD5=3ecd3ca61ffc54b0d93f8b19161b83da|MD5=1ad400766530669d14a077514599e7f3|MD5=4f27c09cc8680e06b04d6a9c34ca1e08|MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d|MD5=043d5a1fc66662a3f91b8a9c027f9be9|MD5=a0e2223868b6133c5712ba5ed20c3e8a|MD5=2b3e0db4f00d4b3d0b4d178234b02e72|MD5=1610342659cb8eb4a0361dbc047a2221|MD5=c842827d4704a5ef53a809463254e1cc|MD5=bf2a954160cb155df0df433929e9102b|MD5=81b72492d45982cd7a4a138676329fd6|MD5=2a2867e1f323320fdeef40c1da578a9a|MD5=b3f132ce34207b7be899f4978276b66d|MD5=3247014ba35d406475311a2eab0c4657|MD5=88d5fc86f0dd3a8b42463f8d5503a570|MD5=0be5c6476dd58072c93af4fca62ee4b3|MD5=3cf7a55ec897cc938aebb8161cb8e74f|MD5=931d4f01b5a88027ef86437f1b862000|MD5=d253c19194a18030296ae62a10821640|MD5=c5f5d109f11aadebae94c77b27cb026f|MD5=15dd3ef7df34f9b464e9b38c2deb0793|MD5=e913a51f66e380837ffe8da6707d4cc4|MD5=c552dae8eaadd708a38704e8d62cf64d|MD5=1f8a9619ab644728ce4cf86f3ad879ea|MD5=f7edd110de10f9a50c2922f1450819aa|MD5=be17a598e0f5314748ade0871ad343e7|MD5=aa1ed3917928f04d97d8a217fe9b5cb1|MD5=880686bceaf66bfde3c80569eb1ebfa7|MD5=bc1eeb4993a601e6f7776233028ac095|MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3|MD5=3a1ba5cd653a9ddce30c58e7c8ae28ae|MD5=5054083cf29649a76c94658ba7ff5bce|MD5=dedd07993780d973c22c93e77ab69fa3|MD5=3aacaa62758fa6d178043d78ba89bebc|MD5=f1a203406a680cc7e4017844b129dcbf|MD5=2399e6f7f868d05623be03a616b4811e|MD5=0d5774527af6e30905317839686b449d|MD5=5bbe4e52bd33f1cdd4cf38c7c65f80ae|MD5=047c06d4d38ea443c9af23a501c4480d|MD5=a72e10ecea2fdeb8b9d4f45d0294086b|MD5=c9c25778efe890baa4087e32937016a0|MD5=0ba6afe0ea182236f98365bd977adfdf|MD5=e626956c883c7ff3aeb0414570135a58|MD5=3e796eb95aca7e620d6a0c2118d6871b|MD5=f3f5c518bc3715492cb0b7c59e94c357|MD5=4e92f1c677e08fd09b57032c5b47ca46|MD5=f22740ba54a400fd2be7690bb204aa08|MD5=3467b0d996251dc56a72fc51a536dd6b|MD5=198b723e13a270bb664dcb9fb6ed42e6|MD5=bdc3b6b83dde7111d5d6b9a2aadf233f|MD5=3651a6990fe38711ebb285143f867a43|MD5=7db75077d53a63531ef2742d98ca6acc|MD5=55c36d43dd930069148008902f431ea5|MD5=f026460a7a720d0b8394f28a1f9203dc|MD5=cb22776d06f1e81cc87faeb0245acde8|MD5=b994110f069d197222508a724d8afdac|MD5=e6eaee1b3e41f404c289e22df66ef66b|MD5=29872c7376c42e2a64fa838dad98aa11|MD5=d21fba3d09e5b060bd08796916166218|MD5=880611326b768c4922e9da8a8effc582|MD5=9c3c250646e11052b1e38500ee0e467b|MD5=178cc9403816c082d22a1d47fa1f9c85|MD5=2c1045bb133b7c9f5115e7f2b20c267a|MD5=707ab1170389eba44ffd4cfad01b5969|MD5=ddf2655068467d981242ea96e3b88614|MD5=7907e14f9bcf3a4689c9a74a1a873cb6|MD5=b3424a229d845a88340045c29327c529|MD5=0b0447072ada1636a14087574a512c82|MD5=0be4a11bc261f3cd8b4dbfebee88c209|MD5=7dd538bcaa98d6c063ead8606066333f|MD5=8a108158431e9a7d08e330fd7a46d175|MD5=e6ea0e8d2edcc6cad3c414a889d17ac4|MD5=288471f132c7249f598032d03575f083|MD5=11fb599312cb1cf43ca5e879ed6fb71e|MD5=2348508499406dec3b508f349949cb51|MD5=fe820a5f99b092c3660762c6fc6c64e0|MD5=c508d28487121828c3a1c2b57acb05be|MD5=91755cc5c3ccf97313dc2bece813b4d9|MD5=2f8653034a35526df88ea0c62b035a42|MD5=3dbf69f935ea48571ea6b0f5a2878896|MD5=7e3a6f880486a4782b896e6dbd9cc26f|MD5=2850608430dd089f24386f3336c84729|MD5=a711e6ab17802fabf2e69e0cd57c54cd|MD5=2eec12c17d6b8deeeac485f47131d150|MD5=e7ab83a655b0cd934a19d94ac81e4eec|MD5=a91a1bc393971a662a3210dac8c17dfd|MD5=2fed983ec44d1e7cffb0d516407746f2|MD5=18439fe2aaeddfd355ef88091cb6c15f|MD5=592756f68ab8ae590662b0c4212a3bb9|MD5=d63c9c1a427a134461258b7b8742858f|MD5=6e25148bb384469f3d5386dc5217548a|MD5=700d6a0331befd4ed9cfbb3234b335e7|MD5=e68972cd9f28f0be0f9df7207aba9d1d|MD5=b2a9ac0600b12ec9819e049d7a6a0b75|MD5=c796a92a66ec725b7b7febbdc13dc69b|MD5=5b6c21e8366220f7511e6904ffeeced9|MD5=8741e6df191c805028b92cec44b1ba88|MD5=b47dee29b5e6e1939567a926c7a3e6a4|MD5=dff6c75c9754a6be61a47a273364cdf7|MD5=d86269ba823c9ecf49a145540cd0b3df|MD5=3c55092900343d3d28564e2d34e7be2c|MD5=fef9dd9ea587f8886ade43c1befbdafe|MD5=96c5900331bd17344f338d006888bae5|MD5=7e7e3f5532b6af24dcc252ac4b240311|MD5=c6f8983dd3d75640c072a8459b8fa55a|MD5=1caf5070493459ba029d988dbb2c7422|MD5=2b653950483196f0d175ba6bc35f1125|MD5=15814b675e9d08953f2c64e4e5ccb4f4|MD5=de4001f89ed139d1ed6ae5586d48997a|MD5=dc943bf367ae77016ae399df8e71d38a|MD5=524cd77f4c100cf20af4004f740b0268|MD5=e5f8fcdfb52155ed4dffd8a205b3d091|MD5=925ee3f3227c3b63e141ba16bd83f024|MD5=fbf729350ca08a7673b115ce9c9eb7e5|MD5=eb0a8eeb444033ebf9b4b304f114f2c8|MD5=c7a57cd4bea07dadba2e2fb914379910|MD5=384370c812acb7181f972d57dc77c324|MD5=d43dcba796b40234267ad2862fa52600|MD5=b0954711c133d284a171dd560c8f492a|MD5=262969a3fab32b9e17e63e2d17a57744|MD5=05a6f843c43d75fbce8e885bb8656aa4|MD5=992ded5b623be3c228f32edb4ca3f2d2|MD5=13a0d3f9d5f39adaca0a8d3bb327eb31|MD5=f5051c756035ef5de9c4c48bacb0612b|MD5=1276f735d22cf04676a719edc6b0df18|MD5=d4a299c595d35264b5cfd12490a138dc|MD5=f4e1997192d5a95a38965c9e15c687fc|MD5=05369fa594a033e48b7921018b3263fb|MD5=ed07f1a8038596574184e09211dfc30f|MD5=e1ebc6c5257a277115a7e61ee3e5e42f|MD5=821adf5ba68fd8cc7f4f1bc915fe47de|MD5=b12d1630fd50b2a21fd91e45d522ba3a|MD5=729dd4df669dc96e74f4180c6ee2a64b|MD5=c6b5a3ae07b165a6e5fff7e31ff91016|MD5=e36f6f7401ae11e11f69d744703914db|MD5=9ba7c30177d2897bb3f7b3dc2f95ae0a|MD5=b5326548762bfaae7a42d5b0898dfeac|MD5=f2f728d2f69765f5dfda913d407783d2|MD5=637cf50b06bc53deae846b252d56bbdc|MD5=c37b575c3a96b9788c26cefcf43f3542|MD5=e4266262a77fffdea2584283f6c4f51d|MD5=054299e09cea38df2b84e6b29348b418|MD5=4cc3ddd5ae268d9a154a426af2c23ef9|MD5=d717f8de642b65f029829c34fbd13a45|MD5=e79c91c27df3eaf82fb7bd1280172517|MD5=fd7de498a72b2daf89f321d23948c3c4|MD5=6682176866d6bd6b4ea3c8e398bd3aae|MD5=eb525d99a31eb4fff09814e83593a494|MD5=e323413de3caec7f7730b43c551f26a0|MD5=353e5d424668d785f13c904fde3bac84|MD5=3b9698a9ee85f0b4edf150deef790ccd|MD5=3f8cdaf7413000d34d6a1a1d5341a11b|MD5=dcd966874b4c8c952662d2d16ddb4d7c|MD5=3fda3d414c31ad73efd8ccceeaa3bdc2|MD5=ca6931fcbc1492d7283aa9dc0149032e|MD5=084bd27e151fef55b5d80025c3114d35|MD5=7c887f2b1a56b84d86828529604957db|MD5=c24800c382b38707e556af957e9e94fd|MD5=f84da507b3067f019c340b737cd68d32|MD5=d3026938514218766cb6d3b36ccfa322|MD5=6917ef5d483ed30be14f8085eaef521b|MD5=945ef111161bae49075107e5bc11a23f|MD5=44a3b9cc0a8e89c11544932b295ea113|MD5=6cc3c3be2de12310a35a6ab2aed141d6|MD5=085d3423f3c12a17119920f1a293ab4d|MD5=547971da89a47b6ad6459cd7d7854e12|MD5=aa5dd4beca6f67733e04d9d050ecd523|MD5=903c149851e9929ec45daefc544fcd99|MD5=ba5f0f6347780c2ed911bbf888e75bef|MD5=1873a2ce2df273d409c47094bc269285|MD5=97e3a44ec4ae58c8cc38eefc613e950e|MD5=1cb26adeca26aefb5a61065e990402da|MD5=17fe96af33f1fe475957689aeb5f816e|MD5=c5b8e612360277ac70aa328432a99fd6|MD5=62f8d7f884366df6100c7e892e3d70bf|MD5=a5deee418b7b580ca89db8a871dc1645|MD5=5f44a01ccc530b34051b9d0ccb5bb842|MD5=25ede0fd525a30d31998ea62876961ec|MD5=1c61eb82f1269d8d6be8de2411133811|MD5=338a98e1c27bc76f09331fcd7ae413a5|MD5=f66b96aa7ae430b56289409241645099|MD5=8ea94766cd7890483449dc193d267993|MD5=75fa19142531cbf490770c2988a7db64|MD5=ee3b74cdfed959782dff84153e3d5a6e|MD5=fdf975524d4cdb4f127d79aac571ae9e|MD5=688a10e87af9bcf0e40277d927923a00|MD5=62792c30836ae7861c3ca2409cd35c02|MD5=b62e2371158a082e239f5883bd6000d1|MD5=1f01257d9730f805b2a1d69099ef891d|MD5=b934322c68c30dceca96c0274a51f7b0|MD5=76355d5eafdfa3e9b7580b9153de1f30|MD5=9fdcd543574a712a80d62da8bfd8331c|MD5=1440c0da81c700bd61142bc569477d81|MD5=4c76554d9a72653c6156ca0024d21a8e|MD5=148bd10da8c8d64928a213c7bf1f2fca|MD5=95e4c7b0384da89dce8ea6f31c3613d9|MD5=e6cb1728c50bd020e531d19a14904e1c|MD5=62f02339fe267dc7438f603bfb5431a1|MD5=0a4e6bd5cc2e9172e461408be47c3149|MD5=28cb0b64134ad62c2acf77db8501a619|MD5=4ecfb46fcdce95623f994bd29bbe59cb|MD5=7ee0c884e7d282958c5b3a9e47f23e13|MD5=dbc415304403be25ac83047c170b0ec2|MD5=0c7f66cd219817eaab41f36d4bc0d4cd|MD5=3c9c537167923723429c86ab38743e7d|MD5=a57b47489febc552515778dd0fd1e51c|MD5=680dcb5c39c1ec40ac3897bb3e9f27b9|MD5=5f9785e7535f8f602cb294a54962c9e7|MD5=e4ea7ebfa142d20a92fbe468a77eafa6|MD5=32365e3e64d28cc94756ac9a09b67f06|MD5=be9eeea2a8cac5f6cd92c97f234e2fe1|MD5=5bd30b502168013c9ea03a5c2f1c9776|MD5=ba21bfa3d05661ba216873a9ef66a6e2|MD5=dad8f40626ed4702e0e8502562d93d7c|MD5=8fbb1ffc6f13f9d5ee8480b36baffc52|MD5=bedc99bbcedaf89e2ee1aa574c5a2fa4|MD5=9dd414590e695ea208139c23db8a5aa3|MD5=270052c61f4de95ebfbf3a49fb39235f|MD5=19c0c18384d6a6d65462be891692df9c|MD5=a26e600652c33dd054731b4693bf5b01|MD5=8b779fe1d71839ad361226f66f1b3fe5|MD5=8ad9dfc971df71cd43788ade6acf8e7d|MD5=2dbc09c853c4bf2e058d29aaa21fa803|MD5=13ee349c15ee5d6cf640b3d0111ffc0e|MD5=fef60a37301e1f5a3020fa3487fb2cd7|MD5=4353b713487a2945b823423bbbf709bd|MD5=875c44411674b75feb07592aeffa09c1|MD5=b971b79bdca77e8755e615909a1c7a9f|MD5=ad03f225247b58a57584b40a4d1746d3|MD5=2229d5a9a92b62df4df9cf51f48436f7|MD5=5bb840db439eb281927588dbce5f5418|MD5=fd80c3d38669b302de4b4b736941c0d1|MD5=d1440503d1528c55fdc569678a663667|MD5=d1e57c74bafa56e8e2641290d153f4d2|MD5=c9b046a6961957cc6c93a5192d3e61e3|MD5=ff795e4f387c3e22291083b7d6b92ffb|MD5=782f165b1d2db23f78e82fee0127cc14|MD5=002a58b90a589913a07012253662c98c|MD5=0211ab46b73a2623b86c1cfcb30579ab|MD5=d0a5b98788e480c12afc65ad3e6d4478|MD5=d6cc5709aca6a6b868962a6506d48abc|MD5=08001b0cdb0946433366032827d7a187|MD5=8fc6cafd4e63a3271edf6a1897a892ae|MD5=0e207ef80361b3d047a2358d0e2206b4|MD5=b10b210c5944965d0dc85e70a0b19a42|MD5=006d9d615cdcc105f642ab599b66f94e|MD5=b32497762d916dba6c827e31205b67dd|MD5=f766a9bb7cd46ba8c871484058f908f0|MD5=546db985012d988e4482acfae4a935a8|MD5=700e9902b0a28979724582f116288bad|MD5=0395b4e0eb21693590ad1cfdf7044b8b|MD5=d95c9a241e52b4f967fa4cdb7b99fc80|MD5=ee91da973bebe6442527b3d1abcc3c80|MD5=1a234f4643f5658bab07bfa611282267|MD5=1898ceda3247213c084f43637ef163b3|MD5=1b5c3c458e31bede55145d0644e88d75|MD5=42132c7a755064f94314b01afb80e73c|MD5=1b76363059fef4f7da752eb0dfb0c1e1|MD5=cc8855fe30a9cdef895177a4cf1a3dad|MD5=6d4159694e1754f262e326b52a3b305a|MD5=b7ca4c32c844df9b61634052ae276387|MD5=361a598d8bb92c13b18abb7cac850b01|MD5=27bcbeec8a466178a6057b64bef66512|MD5=f310b453ac562f2c53d30aa6e35506bb|MD5=14add4f16d80595e6e816abf038141e5|MD5=ab53d07f18a9697139ddc825b466f696|MD5=278761b706276f9b49e1e2fd21b9cb07|MD5=60e84516c6ec6dfdae7b422d1f7cab06|MD5=20afd54ca260e2bf6589fac72935fecf|MD5=3ad7b36a584504b3c70b5f552ba33015|MD5=9f3b5de6fe46429bed794813c6ae8421|MD5=7b9717c608a5f5a1c816128a609e9575|MD5=798de15f187c1f013095bbbeb6fb6197|MD5=66066d9852bc65988fb4777f0ff3fbb4|MD5=13dda15ef67eb265869fc371c72d6ef0|MD5=63e333d64a8716e1ae59f914cb686ae8|MD5=3411fdf098aa20193eee5ffa36ba43b2|MD5=ad6d5177656dfc5b43def5d13d32f9f6|MD5=97221e16e7a99a00592ca278c49ffbfc|MD5=010c0e5ac584e3ab97a2daf84cf436f5|MD5=29b1ddc69e89b160cc3722e5e0738fd8|MD5=aad4fb47cb39a9ab4159662a29e1ee88|MD5=4e093256b034925ecd6b29473ff16858|MD5=51c233297c3aa16c4222e35ded1139b6|MD5=9945823e9846724c70d2f8d66a403300|MD5=aa2ef08d48b66bd814280976614468a7|MD5=33fc573c0e8bedfe3614e17219273429|MD5=c08063f052308b6f5882482615387f30|MD5=c8c6fadcb7cb85f197ab77e6a7b67aa9|MD5=3f29f651a3c4ff5ce16d61deccf46618|MD5=08c1bce6627764c9f8c79439555c5636|MD5=1da1cfe6aa15325c9ecf8f8c9b2cd12d|MD5=c1d063c9422a19944cdaa6714623f2ec|MD5=b0809d8adc254c52f9d06362489ce474|MD5=a22626febc924eb219a953f1ee2b9600|MD5=5a615f4641287e5e88968f5455627d45|MD5=de2aac9468158c73880e31509924d7e0|MD5=dd38cc344d2a0da1c03e92eb4b89a193|MD5=c1fce7aac4e9dd7a730997e2979fa1e2|MD5=0634299fc837b47b531e4762d946b2ae|MD5=e4ff4edce076f21f5f8d082a62c9db8b|MD5=43ed1d08c19626688db34f63e55114fb|MD5=6c28461e78f8d908ca9a66bad2e212f7|MD5=8aa9d47ec9a0713c56b6dec3d601d105|MD5=c9390a8f3ca511c1306a039ca5d80997|MD5=c60a4bc4fec820d88113afb1da6e4db3|MD5=6b3abe55c4d39e305a11b4d1091dfaac|MD5=f4a31e08f89e5f002ef3cf7b1224af5f|MD5=d7cf689e6c63d37bc071499f687300dd|MD5=7c0b186d1912686cfcb8cd9cdebabe58|MD5=8cb2ffb8bb0bbf8cd0dd685611854637|MD5=9b359b722ac80c4e0a5235264e1e0156|MD5=09927915aba84c8acd91efdaac674b86|MD5=e4b50e44d1f12a47e18259b41074f126|MD5=0ec361f2fba49c73260af351c39ff9cb|MD5=65ad6a7c43f8d566afd5676f9447b6c1|MD5=ddb7da975d90b2a9c9c58e1af55f0285|MD5=8291dcbcbccc2ce28195d04ac616a1b5|MD5=2da269863ed99be7b6b8ec2adc710648|MD5=2ab9f5a66d75adb01171bb04ab4380f2|MD5=3a7c69293fcd5688cc398691093ec06a|MD5=13a2b915f6d93e52505656773d53096f|MD5=7bd840ff7f15df79a9a71fec7db1243e|MD5=0a6a1c9a7f80a2a5dcced5c4c0473765|MD5=a1547e8b2ca0516d0d9191a55b8536c0|MD5=e04ff937f6fd273b774f23aed5dd8c13|MD5=fac8eb49e2fd541b81fcbdeb98a199cb|MD5=cb31f1b637056a3d374e22865c41e6d9|MD5=c69c292e0b76b25a5fa0e16136770e11|MD5=cebf532d1e3c109418687cb9207516ad|MD5=eeb8e039f6d942538eb4b0252117899a|MD5=4d99d02f49e027332a0a9c31c674e13b|MD5=e9a30edef1105b8a64218f892b2e56ed|MD5=dd04cd3de0c19bede84e9c95a86b3ca8|MD5=70196d88c03f2ea557281b24dad85de5|MD5=708ac9f7b12b6ca4553fd8d0c7299296|MD5=cafbf85b902f189ba35f3d7823aad195|MD5=d48f681f70e19d2fa521df63bc72ab9e|MD5=6ae9d25e02b54367a4e93c2492b8b02e|MD5=f14359ceb3705d77353b244bb795b552|MD5=0d992b69029d1f23a872ff5a3352fb5b|MD5=9993a2a45c745bb0139bf3e8decd626c|MD5=6d67da13cf84f15f6797ed929dd8cf5d|MD5=c2eb4539a4f6ab6edd01bdc191619975|MD5=349fa788a4a7b57e37e426aca9b736d5|MD5=4c016fd76ed5c05e84ca8cab77993961|MD5=ea14899d1bfba397bc731770765768d1|MD5=4ec08e0bcdf3e880e7f5a7d78a73440c|MD5=e65fa439efa9e5ad1d2c9aee40c7238e|MD5=0898af0888d8f7a9544ef56e5e16354e|MD5=10e681ce84afdd642e59ddfdb28284e9|MD5=b5f96dd5cc7d14a9860ab99d161bf171|MD5=37c3a9fef349d13685ec9c2acaaeafce|MD5=027e10a5048b135862d638b9085d1402|MD5=b0baac4d6cbac384a633c71858b35a2e|MD5=d0a5f9ace1f0c459cef714156db1de02|MD5=b34361d151c793415ef92ee5d368c053|MD5=f0fdfdf3303e2f7c141aa3a24d523af1|MD5=d424f369f7e010249619f0ecbe5f3805|MD5=639252292bb40b3f10f8a6842aee3cd4|MD5=7e6e2ed880c7ab115fca68136051f9ce|MD5=f8dce1eb0f9fcaf07f68fe290aa629e4|MD5=fa222bed731713904320723b9c085b11|MD5=aa69b4255e786d968adbd75ba5cf3e93|MD5=06ffbb2cbf5ac9ef95773b4f5c4c896a|MD5=00685003005b0b437af929f0499545e4|MD5=85e606523ce390f7fcd8370d5f4b812a|MD5=23cf3da010497eb2bf39a5c5a57e437c|MD5=dc9be271f403e2278071d6ece408ff28|MD5=6b16512bffe88146a7915f749bd81641|MD5=c2585e2696e21e25c05122e37e75a947|MD5=165178829b5587a628977bfca6fd6900|MD5=24156523b923fd9dcfdd0ac684dcdb20|MD5=750d1f07ea9d10b38a33636036c30cca|MD5=fc90bcc43daa48882be359a17b71abf7|MD5=09672532194b4bff5e0f7a7d782c7bf2|MD5=212bfd1ef00e199a365aeb74a8182609|MD5=e3d290406de40c32095bd76dc88179fb|MD5=715572dfe6fb10b16f980bfa242f3fa5|MD5=c8f88ca47b393da6acf87fa190e81333|MD5=d0c2caa17c7b6d2200e1b5aa9d07135e|MD5=16a8e8437b94d6207af2f25fd4801b6d|MD5=7bdf418a65ec33ec8ff47e7de705a4e1|MD5=31f34de4374a6ed0e70a022a0efa2570|MD5=cfad9185ffcf5850b5810c28b24d5fc8|MD5=6ba221afb17342a3c81245a4958516a2|MD5=f44f6ec546850ceb796a2cb528928a91|MD5=34a7fab63a4ed5a0b61eb204828e08e5|MD5=a92bf3c219a5fa82087b6c31bdf36ff3|MD5=fa0d1fca7c5b44ce3b799389434fcaa5|MD5=affe4764d880e78b2afb2643b15b8d41|MD5=f80ceb0dbb889663f0bee058b109ce0e|MD5=25ebe6f757129adbe78ec312a5f1800b|MD5=7f7b8cde26c4943c9465e412adbb790f|MD5=bfe96411cf67edb3cee2b9894b910cd5|MD5=6e2178dc5f9e37e6b4b6cbdaef1b12b1|MD5=0420fa6704fd0590c5ce7176fdada650|MD5=7ed6030f14e66e743241f2c1fa783e69|MD5=61e8367fb57297a949c9a80c2e0e5a38|MD5=7951fa3096c99295d681acb0742506bf|MD5=bcd60bf152fdec05cd40562b466be252|MD5=376b1e8957227a3639ec1482900d9b97|MD5=7331720a5522d5cd972623326cf87a3f|MD5=8e78ab9b9709bafb11695a0a6eddeff9|MD5=8abbb12e61045984eda19e2dc77b235e|MD5=0199a59af05d9986842ecbdee3884f0c|MD5=729afa54490443da66c2685bd77cb1f0|MD5=95c88d25e211a4d52a82c53e5d93e634|MD5=aa55dd14064cb808613d09195e3ba749|MD5=ef1afb3a5ddad6795721f824690b4a69|MD5=db46c56849bbce9a55a03283efc8c280|MD5=991230087394738976dbd44f92516cae|MD5=3af19d325f9dcdf360276ae5e7c136ea|MD5=98763a3dee3cf03de334f00f95fc071a|MD5=4b194021d6bd6650cbd1aed9370b2329|MD5=517d484bdbad4637188ec7a908335b86|MD5=2ddd3c0e23bc0fd63702910c597298b4|MD5=120b5bbb9d2eb35ff4f62d79507ea63a|MD5=6bada94085b6709694f8327c211d12e1|MD5=5c5f1c2dc6c2479bafec7c010c41c6ec|MD5=ab81264493c218a0e875a0d50104ac9f|MD5=ea2ff60fcce3b9ffe0bd77658b88512d|MD5=76d1d4d285f74059f32b8ad19a146d0c|MD5=b9cf3294c13cdea624ab95ca3e2e483f|MD5=0cd0fe9d16b62415b116686a2f414f8c|MD5=2503c4cf31588f0b011eb992ca3ee7ff|MD5=f0470f82ba58bc4309f83a0f2aefa4d5|MD5=db72def618cbc3c5f9aa82f091b54250|MD5=2ff629de3667fcd606a0693951f1c1a9|MD5=119f0656ab4bb872f79ee5d421e2b9f9|MD5=55a7c51dc2aa959c41e391db8f6b8b4f|MD5=009876ab9cf3a3d4e3fc3afe13ae839e|MD5=f8a13d4413a93dd005fad116cbd6b6f7|MD5=5093f38d597532d59d4df9018056f0d1|MD5=00f887e74faad40e6e97d9d0e9c71370|MD5=0215d0681979987fe908fb19dab83399|MD5=7962d91b1f53ce55c7338788bd4eb378|MD5=1bca427ab8e67a9db833eb8f0ff92196|MD5=a730b97ab977aa444fa261902822a905|MD5=a453083b8f4ca7cb60cac327e97edbe2|MD5=afc2448b4080f695e76e059a96958cab|MD5=4f963d716a60737e5b59299f00daf285|MD5=ee59b64ae296a87bf7a6aee38ad09617|MD5=1c9d2a993e99054050b596d88b307d95|MD5=5cd0ec261c8c2a39d9105fbbcad4e5b9|MD5=4c6d311e0b13c4f469f717db4ab4d0e7|MD5=84fb76ee319073e77fb364bbbbff5461|MD5=d660fc7255646d5014d45c3bca9c6e20|MD5=ecccbf1e7c727f923c9d709707800e6c|MD5=94ccef76fda12ab0b8270f9b2980552b|MD5=f853abe0dc162601e66e4a346faed854|MD5=154fd286c96665946d55a7d49923ad7e|MD5=a5afd20e34bcd634ebd25b3ab2ff3403|MD5=c9c7113f5e15f70fcc576e835c859d56|MD5=ad22a7b010de6f9c6f39c350a471a440|MD5=7a6a6d6921cd1a4e1d61f9672a4560d6|MD5=9af5ae780b6a9ea485fa15f28ddb20a7|MD5=1f15a513abc039533ca996552ba27e51|MD5=d1bac75205c389d6d5d6418f0457c29b|MD5=36527fdb70ed6f74b70a98129f82ad62|MD5=3d5164e85d740bce0391e2b81d49d308|MD5=30550db8f400b1e11593dffd644abb67|MD5=b17fb1ad5e880467cf7e61b1ee8e3448|MD5=6f5d54ab483659ac78672440422ae3f1|MD5=f042e8318cf20957c2339d96690c3186|MD5=5158f786afa19945d19bee9179065e4d|MD5=328a2cb2da464b0c2beb898ff9ae9f3a|MD5=e7273e17ac85dc4272c4c4400091a19e|MD5=d74d202646e5a6d0d2c4207e1f949826|MD5=9ce1b0e5cfa8223cec3be1c7616e9f63|MD5=55cd6b46ac25bbe01245f2270a0d6cb8|MD5=b8b6686324f7aa77f570bc019ec214e6|MD5=d104621c93213942b7b43d65b5d8d33e|MD5=8cc5a4045a80a822cbc1e9eadff8e533|MD5=ef18d594c862d6d3704b777fa3445ac2|MD5=b941c8364308990ee4cc6eadf7214e0f|MD5=2ca1044a04cb2f0ce5bd0a5832981e04|MD5=f8fe655b7d63dbdc53b0983a0d143028|MD5=cd9f0fcecf1664facb3671c0130dc8bb|MD5=3e9ee8418f22a8ae0e2bf6ff293988fa|MD5=3bf217f8ef018ca5ea20947bfdfc0a4d|MD5=778b7feea3c750d44745d3bf294bd4ce|MD5=4514a0e8bcab7de4cff55999cdf00cd1|MD5=5228b7a738dc90a06ae4f4a7412cb1e9|MD5=159f89d9870e208abd8b912c3d1d3ae9|MD5=e425c66663c96d5a9f030b0ad4d219a8|MD5=85b756463ab0c000f816260d49923cde|MD5=acd221ff7cf10b6117fd609929cde395|MD5=a87689b1067edacc48fddf90020dee23|MD5=0d123be07e2dfd2b2ade49ad2a905a5b|MD5=3ae11bde32cdbd8637124ada866a5a7e|MD5=cc35379f0421b907004a9099611ee2cd|MD5=23b807c09b9b6ea85ed5c508aab200b7|MD5=26d973d6d9a0d133dfda7d8c1adc04b7|MD5=eba6b88bc7bca21658bda9533f0bbff8|MD5=9eb524c5f92e5b80374b8261292fdeb5|MD5=4a23e0f2c6f926a41b28d574cbc6ac30|MD5=c61876aaca6ce822be18adb9d9bd4260|MD5=aae268c4b593156bdae25af5a2a4af21|MD5=de711decdd763a73098372f752bf5a1c|MD5=1b32c54b95121ab1683c7b83b2db4b96|MD5=9aa7ed7809eec0d8bc6c545a1d18107a|MD5=07493c774aa406478005e8fe52c788b2|MD5=9b9d367cb53df0a2e0850760c840d016|MD5=70c2c29643ee1edd3bbcd2ef1ffc9a73|MD5=766f9ea38918827df59a6aed204d2b09|MD5=f670d1570c75ab1d8e870c1c6e3baba1|MD5=34edf3464c3f5605c1ca3a071f12e28c|MD5=bae1f127c4ff21d8fe45e2bbfc59c180|MD5=31469f1313871690e8dc2e8ee4799b22|MD5=79483cb29a0c428e1362ec8642109eee|MD5=c607c37af638fa4eac751976a6afbaa6|MD5=fb7637cfe8562095937f4d6cff420784|MD5=d98d2f80b94f70780b46d1f079a38d93|MD5=35fbc4c04c31c1a40e666be6529c6321|MD5=969f1d19449dc5c2535dd5786093f651|MD5=986f083e5fd01eea4ec3b2575a110a95|MD5=ccf523b951afaa0147f22e2a7aae4976|MD5=978cd6d9666627842340ef774fd9e2ac|MD5=9d8cb58b9a9e177ddd599791a58a654d|MD5=e3fda6120dfa016a76d975fdab7954f6|MD5=e99e86480d4206beb898dda82b71ca44|MD5=a2be99e4904264baa5649c4d4cd13a17|MD5=563b33cfc3c815feff659caaa94edc33|MD5=18b4bbeae6b07d2e21729b8698bbd25a|MD5=f51065667fb127cf6de984daea2f6b24|MD5=35c8fdf881909fa28c92b1c2741ac60b|MD5=477e02a8e31cde2e76a8fb020df095c2|MD5=6b6dfb6d952a2e36efd4a387fdb94637|MD5=f7d963c14a691a022301afa31de9ecef|MD5=9638f265b1ddd5da6ecdf5c0619dcbe6|MD5=2e48c3b8042fdcef0ed435562407bd21|MD5=ada5f19423f91795c0372ff39d745acf|MD5=702d5606cf2199e0edea6f0e0d27cd10|MD5=0809f48fd30845d983d569b847fa83cf|MD5=743c403d20a89db5ed84c874768b7119|MD5=ed6348707f177629739df73b97ba1b6e|MD5=f33c3f08536f988aac84d72d83b139a6|MD5=34686a4b10f239d781772e9e94486c1a|MD5=d77fb9fb256b0c2ec0258c39b80dc513|MD5=b2e4e588ce7b993cc31c18a0721d904d|MD5=eda6e97b453388bb51ce84b8a11d9d13|MD5=d90cdd8f2826e5ea3faf8e258f20dc40|MD5=736c4b85ce346ddf3b49b1e3abb4e72a|MD5=b5ada7fd226d20ec6634fc24768f9e22|MD5=843e39865b29bb3df825bd273f195a98|MD5=7671bbf15b7a8c8f59a0c42a1765136a|MD5=6c5e50ef2069896f408cdaaddd307893|MD5=67b5b8607234bf63ce1e6a52b4a05f87|MD5=24589081b827989b52d954dcd88035d0|MD5=8fcf90cb5f9cb7205c075c662720f762|MD5=812e960977116bf6d6c1ccf8b5dd351f|MD5=a4fda97f452b8f8705695a729f5969f7|MD5=6f7125540e5e90957ba5f8d755a8d570|MD5=5a1ee9e6a177f305765f09b0ae6ac1c5|MD5=4b42a7a6327827a8dbdecf367832c0cd|MD5=663f2fb92608073824ee3106886120f3|MD5=d6c4baecff632d6ad63c45fc39e04b2f|MD5=4ae55080ec8aed49343e40d08370195c|MD5=21be10f66bb65c1d406407faa0b9ba95|MD5=e9ccb6bac8715918a2ac35d8f0b4e1e6|MD5=a223f8584bcb978c003dd451b1439f8d|MD5=f30db62d02a69c36ccb01ac9d41dc085|MD5=d396332f9d7b71c10b3b83da030690f0|MD5=715ac0756234a203cb7ce8524b6ddc0d|MD5=b94ffce20e36b2930eb3ac72f72c00d6|MD5=efb4ed2040b9b3d408aab8dc15df5a06|MD5=8f1255efd2ed0d3b03a02c6b236c06d6|MD5=530feb1e37831302f58b7c219be6b844|MD5=2e219df70fccb79351f0452cba86623e|MD5=99c131567c10c25589e741e69a8f8aa3|MD5=6fb3d42a4f07d8115d59eb2ea6504de5|MD5=839cbbc86453960e9eb6db814b776a40|MD5=3c1f92a1386fa6cf1ba51bae5e9a98dd|MD5=46edb648c1b5c3abd76bd5e912dac026|MD5=bd067efb8cafd971142bc964b4f85df1|MD5=3db2afc15e7cc78bd11f4c726060db5c|MD5=01f092be2a36a5574005e25368426ad2|MD5=65c069af3875494ec686afbb0c3da399|MD5=ce65b7adcf954eb36df62ea3d4a628c7|MD5=ae5eb2759305402821aeddc52ba9a6d6|MD5=048549f7e9978aff602a24dea98ee48a|MD5=da8437200af5f3f790e301b9958993d2|MD5=590875a0b2eeb171403fc7d0f5110cb2|MD5=bc71da7c055e3172226090ba5d8e2248|MD5=d76b56b79b1c95e8dcd7ee88cb0d25ab|MD5=14eead4d42728e9340ec8399a225c124|MD5=1b2e3b7f2966f2f6e6a1bb89f97228e5|MD5=5e9d5c59ba1f1060f53909c129df3355|MD5=0ac31915ec9a6b7d4d4bba8fe6d60ff7|MD5=6909b5e86e00b4033fedfca1775b0e33|MD5=2b4e66fac6503494a2c6f32bb6ab3826|MD5=a125390293d50091b643cfa096c2148c|MD5=79bfbeb4e8cfdd0cb1d73612360bd811|MD5=389823db299b350f2ee830d47376eeac|MD5=a17c403c4b74d4fa920c3887066daeb2|MD5=1793e1d4247b29313325d1462dec81e2|MD5=c31610f4c383204a1fc105c54b7403c9|MD5=0ec31f45e2e698a83131b4443f9a6dd7|MD5=4885e1bf1971c8fa9e7686fd5199f500|MD5=f83c61adbb154d46dd8f77923aa7e9c3|MD5=5cc5c26fc99175997d84fe95c61ab2c2|MD5=49832b4f726cdff825257bee33ad8451|MD5=1493d342e7a36553c56b2adea150949e|MD5=df9953fa93e1793456a8d428ba7e5700|MD5=40bc58b7615d00eb55ad9ba700c340c1|MD5=ba2c0fa201c74621cddd8638497b3c70|MD5=3c9f9c1b802f66cf03cbe82dec2bd454|MD5=7d84a4ed0fcca3d098881a3f3283724b|MD5=0e14b69dcf67c20343f85f9fdb5b9300|MD5=17b97fbe2e8834d7ad30211635e1b271|MD5=7fbd3b4488a12eab56c54e7bb91516f3|MD5=9007c94c9d91ccff8d7f5d4cdddcc403|MD5=260eef181a9bf2849bfec54c1736613b|MD5=dbde0572d702d0a05c0d509d5624a4d7|MD5=5c5973d2caf86e96311f6399513ab8df|MD5=0703c1e07186cb98837a2ae76f50d42e|MD5=5970e8de1b337ca665114511b9d10806|MD5=2580fb4131353ec417b0df59811f705c|MD5=fa63a634189bd4d6570964e2161426b0|MD5=ee57cbe6ec6a703678eaa6c59542ff57|MD5=e140cb81bd27434fc4fd9080b7551922|MD5=49fe3d1f3d5c2e50a0df0f6e8436d778|MD5=a3af4a4fa6cba27284f8289436c2f074|MD5=192519661fe6d132f233d0355c3f4a6d|MD5=394e290aff9d4e78e504cedfb2d99350|MD5=2e7d824a49d731da9fc96262a29c85ce|MD5=f7cbbb5eb263ec9a35a1042f52e82ca4|MD5=2d8e4f38b36c334d0a32a7324832501d|MD5=443689645455987cb347154b391f734d|MD5=9258e3cb20e24a93d4afdee9f5a0299c|MD5=0067c788e1cb174f008c325ebde56c22|MD5=79f7e6f98a5d3ab6601622be4471027f|MD5=1c31d4e9ad2d2b5600ae9d0c0969fe59|MD5=2f1ebc14bd8a29b89896737ca4076002|MD5=43830326cd5fae66f5508e27cbec39a0|MD5=df5f8e118a97d1b38833fcdf7127ab29|MD5=8de7dcade65a1f51605a076c1d2b3456|MD5=fadf9c1365981066c39489397840f848|MD5=2c957aa79231fad8e221e035db6d0d81|MD5=fd81af62964f5dd5eb4a828543a33dcf|MD5=045ef7a39288ba1f4b8d6eca43def44f|MD5=90f8c1b76f786814d03ef4c51d4abb6d|MD5=17719a7f571d4cd08223f0b30f71b8b8|MD5=bdd8dc8880dfbc19d729ca51071de288|MD5=d79b8b7bed8d30387c22663b24e8c191|MD5=57cd52ed992b634e74d2ddf9853a73b3|MD5=1c294146fc77565030603878fd0106f9|MD5=b7946feaeae34d51f045c4f986fa62ce|MD5=86fd54c56dcafe2de918c36f8dfda67e|MD5=adc1e141b57505fd011bc1efb1ae6967|MD5=6822566b28be75b2a76446a57064369f|MD5=d9ce18960c23f38706ae9c6584d9ac90|MD5=935a7df222f19ac532e831e6bf9e8e45|MD5=664ad9cf500916c94fc2c0020660ac4e|MD5=356bda2bf0f6899a2c08b2da3ec69f13|MD5=dacb62578b3ea191ea37486d15f4f83c|MD5=89c7bd12495e29413038224cb61db02e|MD5=f60a9b88c6ff07d4990d8653d0025683|MD5=710b290a00598fbb1bcc49b30174b2c9|MD5=5c9f240e0b83df758993837d18859cbe|MD5=cb0c5d3639fcd810cde94b7b990aa51c|MD5=4d17b32be70ef39eae5d5edeb5e89877|MD5=0d4306983e694c1f34920bae12d887e6|MD5=2751c7fd7f09479fa2b15168695adebc|MD5=84ba7af6ada1b3ea5efb9871a0613fc6|MD5=0a653d9d0594b152ca835d0b2593269f|MD5=02198692732722681f246c1b33f7a9d9|MD5=9d884ecd3b6c3f2509851ea15ffefbef|MD5=3473faea65fba5d4fbe54c0898a3c044|MD5=013719e840e955c2e4cd9d18c94a2625|MD5=5e71c0814287763d529822d0a022e693|MD5=9f94028cbcf6789103cb5bb6fcef355d|MD5=0d8daf471d871deb90225d2953c0eb95|MD5=ad612a7eb913b5f7d25703cd44953c35|MD5=fe3fb6719e86481a3514ab9e00a55bcf|MD5=3e87e3346441539d3a90278a120766df|MD5=fa173832dca1b1faeba095e5c82a1559|MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5|MD5=803a371a78d528a44ef8777f67443b16|MD5=257483d5d8b268d0d679956c7acdf02d|MD5=02fc655279b8ea3ef37237c488b675cc|MD5=94999245e9580c6228b22ac44c66044c|MD5=88aada8325a3659736b3a7201c825664|MD5=92927c47d6ff139c9b19674c9d0088f6|MD5=05bf59560656c8a9a3191812b0e1235b|MD5=c098f8aeb67eeb2262dbf681690a9306|MD5=eb61616a7bc58e3f5b8cf855d04808c3|MD5=e3aaa0c1c3a5e99eb9970ebe4b5a3183|MD5=5efbbfcc6adac121c8e2fe76641ed329|MD5=4eb4069c230a5dc40cd5d60d2cb3e0d0|MD5=e0528f756bbb2ab83c60f9fd6f541e42|MD5=eb4de413782193e824773723d790cfc4|MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a|MD5=97580157f65612f765f39af594b86697|MD5=21e72a43aedefcd70ca8999cc353b51b|MD5=d6b259b2dfe80bdf4d026063accd752c|MD5=ca7b41ce335051bf9dd7fa4a55581296|MD5=084a13f18856d610d44d3109a9d2acde|MD5=a5f637d61719d37a5b4868c385e363c0|MD5=1392b92179b07b672720763d9b1028a5|MD5=1a5a95d6bedbe29e5acf5eb6a727c634|MD5=a71020c6d6d42c5000e9993425247e06|MD5=a9f220b1507a3c9a327a99995ff99c82|MD5=7c40ec9ed020cc9404de8fe3a5361a09|MD5=fe937e1ed4c8f1d4eac12b065093ae63|MD5=4ca0dba9e224473d664c25e411f5a3bd|MD5=2a8662e91a51d8e04a94fa580c7d3828|MD5=942c6a8332d5dd06d8f4b2a9cb386ff4|MD5=0283b43c6bc965175a1c92b255d39556|MD5=2d91d45cd09dfc3f8e89da1c261fd1ac|MD5=187ddca26d119573223cf0a32ba55a61|MD5=1549e6cbce408acaddeb4d24796f2eaf|MD5=6beb1d8146f5a4aaa2f7b8c0c9bced30|MD5=6cce5bb9c8c2a8293df2d3b1897941a2|MD5=e0fb44aba5e7798f2dc637c6d1f6ca84|MD5=de1cc5c266140bff9d964fab87a29421|MD5=66e0db8a5b0425459d0430547ecbb3db|MD5=03ca3b1cff154ab8855043abadd07956|MD5=2a5fb925125af951bd76c00579d61666|MD5=a2c5f994e9b4a74b2f5b51c7a44c4401|MD5=5c55fcfe39336de769bfa258ab4c901d|MD5=aa12c1cb47c443c6108bfe7fc1a34d98|MD5=8407ddfab85ae664e507c30314090385|MD5=be54aabf09c3fa4671b6efacafa389e3|MD5=296bde4d0ed32c6069eb90c502187d0d|MD5=1d768959aaa194d60e4524ce47708377|MD5=dca1c62c793f84bb2d8e41ca50efbff1|MD5=2a5ccd95292f03f0dd4899d18b55b428|MD5=1f950cfd5ed8dd9de3de004f5416fe20|MD5=35493772986f610753be29121cd68234|MD5=6212832f13b296ddbc85b24e22edb5ec|MD5=9b157f1261a8a42e4ef5ec23dd4cda9e|MD5=b89b097b8b8aecb8341d05136f334ebb|MD5=8942e9fa2459b1e179a6535ca16a2fb4|MD5=64efbffaa153b0d53dc1bccda4279299|MD5=70dcd07d38017b43f710061f37cb4a91|MD5=537e2c3020b1d48b125da593e66508ec|MD5=05b4463677e2566414ad53434ad9e7e5|MD5=7be3a7a743f2013c3e90355219626c2c|MD5=7f258c0161e9edca8e7f85ac0dd68e46|MD5=81df475ab8d37343f0ad2a55b1397a8f|MD5=f0aeb731d83f7ab6008c92c97faf6233|MD5=507a649eb585d8d0447eab0532ef0c73|MD5=5c5e3c7ca39d9472099ea81c329b7d75|MD5=a31246180e61140ad7ff9dd7edf1f6a1|MD5=9226339848e359f5e4cd519bef7dcd39|MD5=f544f9925cab71786e57241c10e08633|MD5=88d2143ae62878dada3aa0a6d8f7cea8|MD5=c06dda757b92e79540551efd00b99d4b|MD5=41ce6b172542a9a227e34a45881e1d2a|MD5=9bcb97a1697a70f59405786759af63b8|MD5=17c7bcae7ebabb95af2f7c91b19c361c|MD5=aaa8999a169e39fb8b48ae49cd6ac30a|MD5=9a5a35112c4f8016abcc6363b44d3385|MD5=6b2df08bacf640cc2ac6f20c76af07ee|MD5=ab4656d1ec4d4cc83c76f639a5340e84|MD5=697f698b59f32f66cd8166e43a5c49c7|MD5=4e90cd77509738d30d3181a4d0880bfa|MD5=e3bdb307b32b13b8f7e621e8d5cc8cd3|MD5=16472fca75ab4b5647c99de608949cde|MD5=24fe18891c173a7c76426d08d2b0630e|MD5=2faa725dd9bb22b2100e3010f8a72182|MD5=251e1ce4e8e9b9418830ed3dc8edd5e3|MD5=1f3522c5db7b9dcdd7729148f105018e|MD5=d5a642329cce4df94b8dc1ba9660ae34|MD5=b2600502a5b962b8cdfac2ead24b17b4|MD5=c9cb486b4f652c9cfb8411803f8ed5f0|MD5=73c98438ac64a68e88b7b0afd11ba140|MD5=ab7b28b532beba6a6c0217bc406b80ee|MD5=75dbd5db9892d7451d0429bec1aabe1a|MD5=d4a10447fdaff7a001715191c1f914b6|MD5=31eca8c0b32135850d5a50aee11fec87|MD5=2cc65e805757cfc4f87889cdceb546cd|MD5=96b463b6fa426ae42c414177af550ba2|MD5=ef5ba21690c2f4ba7e62bf022b2df1f7|MD5=f406c5536bcf9bacbeb7ce8a3c383bfa|MD5=1ed043249c21ab201edccb37f1d40af9|MD5=86635fdc8e28957e6c01fc483fe7b020|MD5=520c18f50d3cb2ce162767c4c1998b86|MD5=569676d3d45b0964ac6dd0815be8ff8c|MD5=3f39f013168428c8e505a7b9e6cba8a2|MD5=68726474c69b738eac3a62e06b33addc|MD5=c04a5cdcb446dc708d9302be4e91e46d|MD5=a179c4093d05a3e1ee73f6ff07f994aa|MD5=1a22a85489a94db6ff68cd624ef43bad|MD5=4ad30223df1361726ff64417f8515272|MD5=4cee9945f9a3e8f2433f5aa8c58671fb|MD5=f56f30ac68c35dd4680054cdfd8f3f00|MD5=31a331a88c6280555859455518a95c35|MD5=650f6531db6fb0ed25d7fc70be35a4da|MD5=82854a57630059d1ce2870159dc2f86b|MD5=d556cb79967e92b5cc69686d16c1d846|MD5=5b1e1a9dade81f1e80fdc0a2d3f9006e|MD5=d9e7e5bcc5b01915dbcef7762a7fc329|MD5=a60c9173563b940203cf4ad38ccf2082|MD5=95a95e28cf5ee4ece6ffbaf169358192|MD5=397580c24c544d477688fcfca9c9b542|MD5=c5d1f8ed329ebb86ddd01e414a6a1718|MD5=ab4ee84e09b09012ac86d3a875af9d43|MD5=c9a293762319d73c8ee84bcaaf81b7b3|MD5=a641e3dccba765a10718c9cb0da7879e|MD5=dd39a86852b498b891672ffbcd071c03|MD5=715f8efab1d1c660e4188055c4b28eed|MD5=c046ca4da48db1524ddf3a49a8d02b65|MD5=f5e6ef0dcbb3d4a608e9e0bba4d80d0a|MD5=bf581e9eb91bace0b02a2c5a54bf1419|MD5=d6c2e061b21c32c585aca5f38335c21c|MD5=7aa34cd9ea5649c24a814e292b270b6f|MD5=5eabc87416f59e894adfde065d0405fa|MD5=7ffdd78d63ca7307a96843cfe806799e|MD5=bbbc9a6cc488cfb0f6c6934b193891eb|MD5=113056ec5c679b6f74c9556339ebf962|MD5=f7745b42882dec947f6629ab9b7c39b7|MD5=4b60ef388071e0baf299496e3d6590ae|MD5=c006d1844f20b91d0ea52bf32d611f30|MD5=a0074303fe697a36d9397c0122e04973|MD5=ff7b31fa6e9ab923bce8af31d1be5bb2|MD5=2e887e52e45bba3c47ccd0e75fc5266f|MD5=7eeb4c0cb786a409b94066986addf315|MD5=e28ce623e3e5fa1d2fe16c721efad4c2|MD5=0eb3dfeffb49d32310d96f3aa3e8ca61|MD5=a15235fcec1c9b65d736661d4bec0d38|MD5=0ad87bba19f0b71ccb2d32239abd49ec|MD5=1c9001dcd34b4db414f0c54242fedf49|MD5=490b1f404c4f31f4538b36736c990136|MD5=1dc94a6a82697c62a04e461d7a94d0b0|MD5=555446a3ca8d9237403471d4744e39f4|MD5=100fe0bc0c183d16e1f08d1a2ad624a8|MD5=37086ae5244442ba552803984a11d6cb|MD5=5d4df0bac74e9ac62af6bc99440b050b|MD5=94cdf2cf363be5a8749670bea4db65cd|MD5=3a48f0e4297947663fbb11702aa1d728|MD5=98583b2f2efe12d2a167217a3838c498|MD5=7437d4070b5c018e05354c179f1d5e2a|MD5=7d46d0ddaf8c7e1776a70c220bf47524|MD5=3c4154866f3d483fdc9f4f64ef868888|MD5=91203acddac81511d17a68a030d063a8|MD5=7d87a9c54e49943bf18574c6f02788ee|MD5=8d63e1a9ff4cafee1af179c0c544365c|MD5=34069a15ae3aa0e879cd0d81708e4bcc|MD5=e4788e5b3e5f0a0bbb318a9c426c2812|MD5=1c591efa8660d4d36a75db9b82474174|MD5=e9e786bdba458b8b4f9e93d034f73d00|MD5=d5db81974ffda566fa821400419f59be|MD5=a926b64be7c27ccb96e687a3924de298|MD5=1c4acf27317a2b5eaedff3ce6094794d|MD5=cd1c8a66e885b7a8b464094395566a46|MD5=edfa69e9132a56778d6363cd41843893|MD5=1ed08a6264c5c92099d6d1dae5e8f530|MD5=f690bfc0799e51a626ba3931960c3173|MD5=7c983b4e66c4697ad3ce7efc9166b505|MD5=4a06bcd96ef0b90a1753a805b4235f28|MD5=c28b4a60ebd4b8c12861829cc13aa6ff|MD5=e700a820f117f65e813b216fccbf78c9|MD5=515c75d77c64909690c18c08ef3fc310|MD5=7056549baa6da18910151b08121e2c94|MD5=61b068b10abfa0776f3b96a208d75bf9|MD5=c901887f28bbb55a10eb934755b47227|MD5=0761c357aed5f591142edaefdf0c89c8|MD5=f141db170bb4c6e088f30ddc58404ad3|MD5=6d97ee5b3300d0f7fa359f2712834c40|MD5=53f103e490bc11624ef6a51a6d3bdc05|MD5=3482acba11c71e45026747dbe366a7d9|MD5=7475bfea6ea1cd54029208ed59b96c6b|MD5=d011d5fecdc94754bf02014cb229d6bc|MD5=42f7cc4be348c3efd98b0f1233cf2d69|MD5=45c2d133d41d2732f3653ed615a745c8|MD5=71fffc05cff351a6f26f78441cfebe26|MD5=da6f7407c4656a2dbaf16a407aff1a38|MD5=5dd25029499cd5656927e9c559955b07|MD5=a82c01606dc27d05d9d3bfb6bb807e32|MD5=8a973be665923e9708974e72228f9805|MD5=312e31851e0fc2072dbf9a128557d6ef|MD5=4ff880566f22919ed94ffae215d39da5|MD5=fcc5de75c1837b631ed77ea4638704b9|MD5=279f3b94c2b9ab5911515bc3e0ecf175|MD5=61d6b1c71ad94f8485e966bebc36d092|MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85|MD5=4a829b8cf1f8fdb69e1d58ae04e6106e|MD5=e4d4a22cbf94e6b0a92fc36d46741f56|MD5=e4a0bba88605d4c07b58a2cc3fac0fe9|MD5=272446de15c63095940a3dad0b426f21|MD5=f160ecce1500a5a5877c123584e86b17|MD5=0a2ec9e3e236698185978a5fc76e74e6|MD5=21ca6a013a75fcf6f930d4b08803973a|MD5=e432956d19714c65723f9c407ffea0c5|MD5=4e4b9bdcc6b8d97828ae1972d750a08d|MD5=67e3b720cee8184c714585a85f8058a0|MD5=03c9d5f24fd65ad57de2d8a2c7960a70|MD5=f65e545771fd922693f0ec68b2141012|MD5=7a16fca3d56c6038c692ec75b2bfee15|MD5=5adebdb94abb4c76dad2b7ecb1384a9d|MD5=003dc41d148ec3286dc7df404ba3f2aa|MD5=0490f5961e0980792f5cb5aedf081dd7|MD5=d3e40644a91327da2b1a7241606fe559|MD5=49938383844ceec33dba794fb751c9a5|MD5=f7393fb917aed182e4cbef25ce8af950|MD5=549e5148be5e7be17f9d416d8a0e333e|MD5=9a237fa07ce3ed06ea924a9bed4a6b99|MD5=96fb2101f85fa81871256107bdd25169|MD5=aa9adcf64008e13d7e68b56fdd307ead|MD5=62eed4173c566a248531fb6f20a5900d|MD5=87982977500b93330df08bf372435641|MD5=9e0af1fe4d6dd2ca4721810ed1c930d6|MD5=9b5533c4af38759d167d5399e83b475f|MD5=bd5d4d07ae09e9f418d6b4ac6d9f2ed5|MD5=22ca5fe8fb0e5e22e6fb0848108c03f4|MD5=7b43dfd84de5e81162ebcfafb764b769|MD5=ccb09eb78e047c931708149992c2e435|MD5=8c1d181480796d7d3366a9381fd7782d|MD5=b5192270857c1f17f7290acbaadf097d|MD5=fe71c99a5830f94d77a8792741d6e6c7|MD5=238769fd8379ec476c1114bd2bd28ca6|MD5=cf7aeedd674417b648fc334d179c94ae|MD5=52b7cd123f6d1b9ed76b08f2ee7d9433|MD5=8d14b013fc2b555e404b1c3301150c34|MD5=2e492f14a1087374368562d01cd609aa|MD5=65e6718a547495c692e090d7887d247b|MD5=51e7b58f6e9b776568ffbd4dd9972a60|MD5=84c4d8ae023ca9bb60694fa467141247|MD5=69ac6165912cb263a656497cc70155e6|MD5=30efb7d485fc9c28fe82a97deac29626|MD5=f4b2580cf0477493908b7ed81e4482f8|MD5=fc6dadb97bd3b7a61d06f20d0d2e1bac|MD5=595363661db3e50acc4de05b0215cc6f|MD5=cec257dcac9e708cefb17f8984dd0a70|MD5=0e51d96a3b878b396708535f49a6d7cb|MD5=f34489c0f0d0a16b4db8a17281b57eba|MD5=80b4041695810f98e1c71ff0cf420b6d|MD5=7978d858168fadd05c17779da5f4695a|MD5=557fd33ee99db6fe263cfcb82b7866b3|MD5=7b9e1e5e8ff4f18f84108bb9f7b5d108|MD5=9b91a44a488e4d539f2e55476b216024|MD5=3b23808de1403961205352e94b8f2f9b|MD5=13bd61916343d94ebefc9a7911d7bf88|MD5=936729b8dc2282037bc1504c2680e3ad|MD5=9f70cd5edcc4efc48ae21e04fb03be9d|MD5=75e50ae2e0f783e0caf912f45e15248a|MD5=444f538daa9f7b340cfd43974ed43690|MD5=8b47c5580b130dd3f580af09323bc949|MD5=daf11013cf4c879a54ed6a86a05bee3c|MD5=eff3a9cc3e99ef3ddae57df72807f0c7|MD5=9982da703f13140997e137b1e745a2e3|MD5=f778489c7105a63e9e789a02412aaa5f|MD5=723381977ce7df57ec623db52b84f426|MD5=1db988eb9ac5f99756c33b91830a9cf6|MD5=c02f70960fa934b8defa16a03d7f6556|MD5=5e35c049bc8076406910da36edf9212d|MD5=241a095631570a9cef4f126c87605c60|MD5=bbe4f5f8b0c0f32f384a83ae31f49a00|MD5=b418293e25632c5f377bf034bb450e57|MD5=4f191abc652d8f7442ca2636725e1ed6|MD5=34e55ccceec34a8567c8b95d662ba886|MD5=4f5ca81806098204c4dea0927a8fec66|MD5=8b287636041792f640f92e77e560725e|MD5=56a515173b211832e20fbc64e5a0447c|MD5=2315a8919cfb167e718d8c788ed3ceca|MD5=2d465b4487dc81effaa84f122b71c24f|MD5=29ccff428e5eb70ae429c3da8968e1ec|MD5=28d6b138adc174a86c0f6248d8a88275|MD5=9beecfb3146f19400880da61476ef940|MD5=d5556c54c474cf0bff25804bfbe788d3|MD5=f7a09ac4a91a6390f8d00bf09f53ae37|MD5=0d6fef14f8e1ce5753424bd22c46b1ce|MD5=06897b431c07886454e0681723dd53e6|MD5=c533d6d64b474ffc3169a0e0fc0a701a|MD5=c52dce2bee8ec88748411e470ff531f6|MD5=71858fa117e6f3309606d5cdb57e6e09|MD5=259381daae0357fbfefe1d92188c496a|MD5=ceac1347acae9ad9496d4b0593256522|MD5=4124de3cb72f5dfd7288389862b03f2a|MD5=edbf206c27c3aa7d1890899dffcc03ec|MD5=a5ff71e189b462d2b1f0e9e8c4668d79|MD5=c49a1956a6a25ffc25ad97d6762b0989|MD5=c475c7d0f2d934f150b6c32c01479134|MD5=eb7f6d01c97783013115ad1a2833401a|MD5=e98f4cc2cbf9ec23fd84da30c0625884|MD5=bf74d0706f5ab9c34067192260f4efb0|MD5=0752f113d983030939b4ab98b0812cf0|MD5=7c22b7686c75a2bb7409b3c392cc791a|MD5=07efb8259b42975d502a058db8a3fd21|MD5=def0da6c95d14f7020e533028224250e|MD5=d4a9f80ecb448da510e5bf82c4a699ee|MD5=c5e7e8ca0d76a13a568901b6b304c3ba|MD5=59f6320772a2e6b0b3587536be4cc022|MD5=0cd2504a2e0a8ad81d9a3a6a1fad7306|MD5=0ccc4e9396e0be9c4639faec53715831|MD5=c15eb30e806ad5e771b23423fd2040b0|MD5=f3d14fcdb86db8d75416ce173c6061af|MD5=637f2708da54e792c27f1141d5bb09cd|MD5=779af226b7b72ff9d78ce1f03d4a3389|MD5=a17c58c0582ee560c72f60764ed63224|MD5=c2c1b8c00b99e913d992a870ed478a24|MD5=2b6a17ec50d3a21e030ed78f7acbd2af|MD5=76bb1a4332666222a8e3e1339e267179|MD5=0ef05030abd55ba6b02faa2c0970f67f|MD5=56a9e9b5334f8698a0ede27c64140982|MD5=9e0659d443a2b9d1afc75a160f500605|MD5=bc6ff00fb3a14437c94b37ac9a2101d4|MD5=2da209dde8188076a9579bd256dc90d0|MD5=11dc5523bb559f8d2ce637f6a2b70dea|MD5=12908c285b9d68ee1f39186110df0f1e|MD5=73a40e29f61e5d142c8f42b28a351190|MD5=0797bb21d7a0210fedf4f3533ee82494|MD5=6846c2035b4c56b488d2ce2c69a57261|MD5=dbf11f3fad1db3eb08e2ee24b5ebfb95|MD5=41339c852c6e8e4c94323f500c87a79c|MD5=ce57844fb185d0cdd9d3ce9e5b6a891d|MD5=3ab94fba7196e84a97e83b15f7bcb270|MD5=0291ced808eafe406d3d9b56d2fc0c26|MD5=3836e2db9034543f63943cdbb52a691a|MD5=0dff47f3b14fb1c1bad47cc517f0581a|MD5=e8ebba56ea799e1e62748c59e1a4c586|MD5=2c54859a67306e20bfdc8887b537de72|MD5=4e67277648c63b79563360dac22b5492|MD5=26ce59f9fc8639fd7fed53ce3b785015|MD5=2927eac51c46944ab69ba81462fb9045|MD5=1a6e12c2d11e208bdf72a8962120fae7|MD5=daf800da15b33bf1a84ee7afc59f0656|MD5=9cbdb5fb6dc63cb13f10b6333407cbb9|MD5=9650db2ef0a44984845841ab24972ced|MD5=96a8b535b5e14b582ca5679a3e2a5946|MD5=33b3842172f21ba22982bfb6bffbda27|MD5=2391fb461b061d0e5fccb050d4af7941|MD5=8bf290b5eda99fc2697373a87f4e1927|MD5=5fade7137c14a94b323f3b7886fba2a9|MD5=a89ca92145fc330adced0dd005421183|MD5=96421b56dbda73e9b965f027a3bda7ba|MD5=d6e9f6c67d9b3d790d592557a7d57c3c|MD5=6fa271b6816affaef640808fc51ac8af|MD5=94d45bb36b13f4e936badb382fc133fe|MD5=e027daa2f81961d09aef88093e107d93|MD5=b1b8e6b85dd03c7f1290b1a071fc79c1|MD5=07fc1e043654fdde56da98d93523635c|MD5=118f3fdba730094d17aa1b259586aef6|MD5=2714c93eb240375a2893ed7f8818004f|MD5=641243746597fbd650e5000d95811ea3|MD5=449bb1c656fa30de7702f17e35b11cd3|MD5=96c850e53caca0469e1c4604e6c1aad1|MD5=12cecc3c14160f32b21279c1a36b8338|MD5=949ef0df929a71d6cc77494dfcb1ddeb|MD5=8065a7659562005127673ac52898675f|MD5=1033f0849180aac4b101a914bc8c53b4|MD5=8f73c1c48ffddfca7d1a98faf83d18ff|MD5=648adec580746afbbf59904c1e150c73|MD5=e84605c8e290de6b92ce81d2f6a175d2|MD5=300d6ac47a146eb8eb159f51bc13f7cf|MD5=392d7180653b0ca77a78bdf15953d865|MD5=f0e21ababe63668fb3fbd02e90cd1fa9|MD5=e0bfbdf3793ea2742c03f5a82cb305a5|MD5=00143c457c8885fd935fc5d5a6ba07a4|MD5=c8d3784a3ab7a04ad34ea0aba32289ca|MD5=9532893c1d358188d66b0d7b0784bb6b|MD5=564d84a799db39b381a582a0b2f738c4|MD5=fd3b7234419fafc9bdd533f48896ed73|MD5=be5f46fd1056f02a7a241e052fa5888f|MD5=2128e6c044ee86f822d952a261af0b48|MD5=4b817d0e7714b9d43db43ae4a22a161e|MD5=eaec88a63db9cf9cee53471263afe6fb|MD5=ecdc79141b7002b246770d01606504f2|MD5=ad866d83b4f0391aecceb4e507011831|MD5=88a6d84f4f1cc188741271ac1999a4e9|MD5=8580165a2803591e007380db9097bbcc|MD5=5c4df33951d20253a98aa7b5e78e571a|MD5=27d21eeff199ed555a29ca0ea4453cfb|MD5=43bfc857406191963f4f3d9f1b76a7bf|MD5=0fbf893691a376b168d8cdf427b89945|MD5=1762105b28eb90d19e9ab3acde16ead6|MD5=b41dcdb2e710dffba2d8ea1defb0f087|MD5=c42caa9cdcc50c01cb2fed985a03fe23|MD5=c516acb873c7f8c24a0431df8287756e|MD5=343ada10d948db29251f2d9c809af204|MD5=790ccca8341919bb8bb49262a21fca0e|MD5=51207adb8dab983332d6b22c29fe8129|MD5=f1e054333cc40f79cfa78e5fbf3b54c2|MD5=7c4e513702a0322b0e3bce29dea9e3e9|MD5=8ac6d458abbe4f5280996eb90235377c|MD5=6a1ff4806c1a6e897208f48a1f5b062f|MD5=a4531040276080441974d9e00d8d4cfa|MD5=d1f9ffe5569642c8f8c10ed7ee5d9391|MD5=09b3d078ffa3b4ed0ad2e477a2ee341f|MD5=83601bbe5563d92c1fdb4e960d84dc77|MD5=1414629b1ee93d2652ff49b2eb829940|MD5=84b17daba8715089542641990c1ea3c2|MD5=6ae4dec687ac6d1b635a4e351dddf73e|MD5=9dfd73dadb2f1c7e9c9d2542981aaa63|MD5=1e1a3d43bd598b231207ff3e70f78454|MD5=07f83829e7429e60298440cd1e601a6a|MD5=7c72a7e1d42b0790773efd8700e24952|MD5=f41eea88057d3dd1a56027c4174eed22|MD5=f53fa44c7b591a2be105344790543369|MD5=08e06b839499cb4b752347399db41b57|MD5=c3fea895fe95ea7a57d9f4d7abed5e71|MD5=785045f8b25cd2e937ddc6b09debe01a|MD5=53bb10742e10991af4ad280fcb134151|MD5=76c643ab29d497317085e5db8c799960|MD5=bce7f34912ff59a3926216b206deb09f|MD5=c4f5619ce04d4bee38024d08513c77fd|MD5=2a3ce41bb2a7894d939fbd1b20dae5a0|MD5=86bec99cd121b0386a5acc1c368a9d49|MD5=e076dadf37dd43a6b36aeed957abee9e|MD5=4a85754636c694572ca9f440d254f5ce|MD5=f4b7b84a6828d2f9205b55cf8cfc7742|MD5=8f5b84350bfc4fe3a65d921b4bd0e737|MD5=f9d04e99e4cab90973226a4555bc6d57|MD5=bc5366760098dc14ec00ae36c359f42b|MD5=b79475c4783efdd8122694c6b5669a79|MD5=5f4a232d92480a1bebbe025ef64dc760|MD5=1cff7b947f8c3dea1d34dc791fc78cdc|MD5=69ba501a268f09f694ff0e8e208aa20e|MD5=030c8432981e4d41b191624b3e07afe2|MD5=c56a9ed0192c5a2b39691e54f2132a2f|SHA1=38a863bcd37c9c56d53274753d5b0e614ba6c8bb|SHA1=87d2b638e5dfab1e37961d27ca734b83ece02804|SHA1=1a56614ea7d335c844b7fc6edd5feb59b8df7b55|SHA1=f02af84393e9627ba808d4159841854a6601cf80|SHA1=75649b228a22ce1e2a306844e0d48f714fb03f28|SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6|SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001|SHA1=388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5|SHA1=fce3a95b222c810c56e7ed5a3d7fb059eb693682|SHA1=f4728f490d741b04b611164a7d997e34458e3a5e|SHA1=4d516b1c9b7a81de2836ab24ba6b880c11807255|SHA1=bda26e533ef971d501095950010081b772920afc|SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b|SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0|SHA1=b82c034e41d463f4e68b0a7d334f2d7611049bcb|SHA1=8795df6494b724d9f279f007db33c24c27a91d08|SHA1=b8d19cd28788ce4570623a5433b091a5fbd4c26d|SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4|SHA1=72f16e6a18ba87248dd72f52445c916ad2e4edc2|SHA1=c0568bcdf57db1fa43cdee5a2a12b768a0064622|SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad|SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f|SHA1=0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84|SHA1=6102b73489e1d319c0db7b84cb2c426c5f680120|SHA1=c16d7b2fbe69a28ccbcf87348903277f22805bf3|SHA1=c21510569fd84a5fe04508aa28e3cf9c8cc45b7a|SHA1=2207cdee7deaba1492ae2349392864f19eb4dfaf|SHA1=2f86a4828ba86034f0c043db3e3db33aa2cf5da5|SHA1=569f4605c65c2a217b28aefeb8570f9ea663e4b7|SHA1=cd828ee0725f6185861fd0a9d3bd78f1d96e55bf|SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b|SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124|SHA1=7877bd7da617ec92a5c47f0da1f0abcf6484d905|SHA1=3adea4a3a91504dc2e3c5e9247c6427cd5c73bab|SHA1=55015f64783ddd148674a74d8137bcd6ccd6231d|SHA1=f8d7369527cc6976283cc73cd761f93bd1cec49d|SHA1=8fb149fc476cf5bf18dc575334edad7caf210996|SHA1=091df975fa983e4ad44435ca092dbf84911f28a5|SHA1=928d26cce64ad458e1f602cc2aea848e0b04eaaf|SHA1=a7baff6666fc2d259c22f986b8a153c7b1d1d8be|SHA1=90d73db752eac6ffc53555281fc5aa92297285ec|SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1|SHA1=a0bf00e4ef2b1a79ccf2361c6b303688641ed94c|SHA1=4a2bb97d395634b67194856d79a1ee5209aa06a7|SHA1=e0ee5ea6693c26f21b143ef9b133f53efe443b1e|SHA1=c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860|SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f|SHA1=c05df2e56e05b97e3ca8c6a61865cae722ed3066|SHA1=dbf6e72c08824fe49c29b7660c9965c37d983e93|SHA1=bed323603a33fa8b2fc7568149345184690f0390|SHA1=2365a66c1eddfcf8385d9ff38ba8bd5f6f2e4fc2|SHA1=59b0b8e3478f3d21213a8afda84181c4ed0a79a7|SHA1=297fdf58e60d54bcddf2694c21ceb9da9ec17915|SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b|SHA1=adf9328e60c714ff0b98083bcf2f4ee2d58b960b|SHA1=78834ff75e2ff8b7456e85114802e58bc9fda457|SHA1=0a5ef5b72e621a639860c03f1cac499567082f39|SHA1=aadaec4c31d661c249e4cf455ec752fffa3e5cfc|SHA1=492a47426b04f00c0d5b711ad8c872aad3aa3a1d|SHA1=064847af77afca8a879a9bf34cb87b64b5e69165|SHA1=468cc011807704c04892ed209cf81d7896a12a0c|SHA1=1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41|SHA1=fc62b746e0e726537bf848b48212f46db585af6d|SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f|SHA1=eceb51233f013e04406da11482324d45e70281c7|SHA1=ff9887cfd695916a06319b3a96f7ab2e6343a20e|SHA1=67e87ca093da64a23cf0fc0be2b35e03d1bf1543|SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82|SHA1=62244c704b0f227444d3a515ea0dc1003418a028|SHA1=4d6e532830058fadd861ff9eac16de8cfc6974ce|SHA1=ebced350ea447df8e10ebb080e3a3e5b32aca348|SHA1=6de3d5c2e33d91eef975a30bc07b0e53a68e77b8|SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86|SHA1=0be77bb3720283c9a970a97dab25d2a312e86110|SHA1=213ba055863d4226da26a759e8a254062ea77814|SHA1=9099482b26e9ba8e1d303418afc9111a3bffd6b3|SHA1=623cd2abef6c92255f79cbbd3309cb59176771da|SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8|SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e|SHA1=461882bd59887617cadc1c7b2b22d0a45458c070|SHA1=f6d826d73bf819dbc9a058f2b55c88d6d4b634e3|SHA1=8278db134d3b505c735306393fdf104d014fb3bf|SHA1=22c909898f5babe37cc421b4f5ed0522196f8127|SHA1=e8311ba74bc6b35b1171b81056d0148913b1d61c|SHA1=3eea0f5fb180c6f865fc83ac75ef3ad5b1376775|SHA1=8e2511ae90643584ceb0d98f0f780cd6b7290604|SHA1=8a922499f7a1b978555b46c30f90de1339760c74|SHA1=2540205480ea3d59e4031de3c6632e3ce2596459|SHA1=8edcd4b35f5ae88d14e83252390659c6fc79eae3|SHA1=aaffdc89befa42e375f822366bbded8c245baf94|SHA1=1d9fd846e12104ae31fd6f6040b93fc689abf047|SHA1=3d3b42d7b0af68da01019274e341b03d7c54f752|SHA1=88811e1a542f33431b9f8b74cb8bf27209b27f17|SHA1=67b45c1e204d44824cd7858455e1acedbd7ffbb3|SHA1=fff7ee0febb8c93539220ca49d4206616e15c666|SHA1=205c69f078a563f54f4c0da2d02a25e284370251|SHA1=d302ae7f016299af323a3542d840004888ab91ff|SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370|SHA1=228b1ff5cd519faa15d9c2f8cfefd7e683bc3f2b|SHA1=63cf021c8662fa23ce3e4075a4f849431e473058|SHA1=ca4d2bd6022f71e1a48b08728c0ac83c68e91281|SHA1=d43b2ac1221f2eaf2c170788280255cfef3edd72|SHA1=db3ce886a47027c09bb668c7049362ab86c82ceb|SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1|SHA1=745bad097052134548fe159f158c04be5616afc2|SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978|SHA1=0e47bd9b67500a67ce18c24328d6d0db8ae2c493|SHA1=ef95f500b60c49f40ed6ce3014ffdb294b301e95|SHA1=2ee7b3f6bcc9e95a9ae60bcb9bbc483b0400077d|SHA1=b3f5185d7824ea2c2d931c292f4d8f77903a4d2a|SHA1=029c678674f482ababe8bbfdb93152392457109d|SHA1=aadebbcbde0e7edd35e29d98871289a75e744aad|SHA1=a88546fb61a2fa7dab978a9cb678469e8f0ed475|SHA1=90abd7670c84c47e6ffc45c67d676db8c12b1939|SHA1=4fe873544c34243826489997a5ff14ed39dd090d|SHA1=d06d119579156b1ec732c50f0f64358762eb631a|SHA1=27eab595ec403580236e04101172247c4f5d5426|SHA1=d1670bd08cfd376fc2b70c6193f3099078f1d72f|SHA1=7ee675f0106e36d9159c5507b96c3237fb9348cd|SHA1=fde6ab389a6e0a9b2ef1713df9d43cca5f1f3da8|SHA1=d61acd857242185a56e101642d15b9b5f0558c26|SHA1=9d44260558807daff61a0cc0c6a8719c3adacd2d|SHA1=3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0|SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c|SHA1=a951953e3c1bb08653ed7b0daec38be7b0169c27|SHA1=35f803d483af51762bee3ec130de6a03362ce920|SHA1=ed3f11383a47710fa840e13a7a9286227fa1474c|SHA1=004d9353f334e42c79a12c3a31785a96f330bbef|SHA1=0b77242d4e920f2fcb2b506502cfe3985381defc|SHA1=8146ed4a9c9a2f7e7aeae0a0539610c3c1cd3563|SHA1=2261198385d62d2117f50f631652eded0ecc71db|SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e|SHA1=ef0504dd90eb451f51d2c4f987fb7833c91c755b|SHA1=34b2986f1ff5146f7145433f1ef5dfe6210131d0|SHA1=472cc191937349a712aabcbc4d118c1c982ab7c9|SHA1=7c43d43d95232e37aa09c5e2bcd3a7699d6b7479|SHA1=de2c073c8b4db6ffd11a99784d307f880444e5d3|SHA1=e88259de797573fa515603ad3354aed0bce572f1|SHA1=f70eb454c0e9ea67a18c625faf7a666665801035|SHA1=4a2e034d2702aba6bca5d9405ba533ed1274ff0c|SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562|SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2|SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451|SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1|SHA1=5b866f522bcdf80e6a9fda71b385f917317f6551|SHA1=4a7d66874a0472a47087fabaa033a85d47413379|SHA1=517504aaf8afc9748d6aec657d46a6f7bbc60c09|SHA1=f0d6b0bcd5f47b41d3c3192e244314d99d1df409|SHA1=3f43412c563889a5f5350f415f7040a71cc25221|SHA1=8031ecbff95f299b53113ccd105582defad38d7b|SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e|SHA1=55c64235d223baeb8577a2445fdaa6bedcde23db|SHA1=12154f58b68902a40a7165035d37974128deb902|SHA1=fa60a89980aad30db3a358fb1c1536a4d31dff6c|SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63|SHA1=9310239b75394b75a963336fbd154038fc13c4e3|SHA1=7673cebd15488cbbb4ca65209f92faab3f933205|SHA1=3a3342f4ca8cc45c6b86f64b1a7d7659020b429f|SHA1=190c20e130a9156442eebcf913746c69b9485eec|SHA1=3c9c86c0b215ecbab0eeb4479c204dba65258b8e|SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89|SHA1=c00ad2a252b53cf2d0dc74b53d1af987982e1ad1|SHA1=3f223581409492172a1e875f130f3485b90fbe5f|SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344|SHA1=7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0|SHA1=d32408c3b79b1f007331d2a3c78b1a7e96f37f79|SHA1=a6a71fb4f91080aff2a3a42811b4bd86fb22168d|SHA1=a0c7c913d7b5724a46581b6e00dd72c26c37794d|SHA1=6f8b0e1c7d7bd7beed853e0d51ca03f143e5b703|SHA1=91ee32b464f6385fc8c44b867ca3dec665cbe886|SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd|SHA1=75dd52e28c40cd22e38ae2a74b52eb0cddfcb2c4|SHA1=14bf0eaa90e012169745b3e30c281a327751e316|SHA1=f9cced7ccdc1f149ad8ad13a264c4425aee89b8e|SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417|SHA1=e4e40032376279e29487afc18527804dce792883|SHA1=bebf97411946749b9050989d9c40352dbe8269ea|SHA1=cfcecf6207d16aeb0af29aac8a4a2f104483018e|SHA1=b21cba198d721737aabd882ada6c91295a5975ed|SHA1=8f540936f2484d020e270e41529624407b7e107e|SHA1=32888d789edc91095da2e0a5d6c564c2aebcee68|SHA1=10fc6933deb7de9813e07d864ce03334a4f489d9|SHA1=09d3ff3c57f5154735e676f2c0a10b5e51336bb3|SHA1=d022f5e3c1bba43871af254a16ab0e378ea66184|SHA1=6c445ceb38d5b1212ce2e7498888dd9562a57875|SHA1=cf9b4d606467108e4b845ecb8ede2f5865bd6c33|SHA1=c4ce0bb8a939c4f4cff955d9b3cdd9eb52746cc9|SHA1=8325e8d7fd2edc126dcf1089dee8da64e79fb12e|SHA1=2bb68b195f66f53f90f17b364928929d5b2883b5|SHA1=d3a6f86245212e1ef9e0e906818027ec14a239cb|SHA1=5672e2212c3b427c1aef83fcd725b587a3d3f979|SHA1=7cee31d3aaee8771c872626feedeeb5d09db008c|SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2|SHA1=4f0d9122f57f4f8df41f3c3950359eb1284b9ab5|SHA1=59c4960851af9240dded4173c4f823727af19512|SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d|SHA1=9393698058ce1187eb87e8c148cfe4804761142d|SHA1=ed219d966a6e74275895cc0b975b79397760ea9f|SHA1=4dba2ac32ed58ead57dd36b18d1cb30cc1c7b9aa|SHA1=d2be76e79741454b4611675b58446e10fc3d0c6c|SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f|SHA1=6b54b8f7edca5fb25a8ef1a1d31e14b9738db579|SHA1=52d9bbe41eea0b60507c469f7810d80343c03c2b|SHA1=f7330a6a4d9df2f35ab93a28c8ee1eb14a74be6e|SHA1=589a7d4df869395601ba7538a65afae8c4616385|SHA1=61d44c9a1ef992bc29502f725d1672d551b9bc3f|SHA1=da689e8e0e3fc4c7114b44d185eef4c768e15946|SHA1=170a50139f95ad1ec94d51fdd94c1966dbed0e47|SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d|SHA1=bfff0073c936b9a7e2ad6848deb6f9bf03205488|SHA1=1586f121d38cc42e5d04fe2f56091e91c6cdd8fa|SHA1=96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11|SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436|SHA1=4d4535c111c7b568cb8a3bece27a97d738512a6b|SHA1=258f1cdc79bd20c2e6630a0865abfe60473b98d5|SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8|SHA1=2c2fc258871499b206963c0f933583cedcdf9ea2|SHA1=6a2912c8e2aa4373852585bc1134b83c637bc9fd|SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f|SHA1=1951ae94c6ee63fa801208771b5784f021c70c60|SHA1=8b53284fb23d34ca144544b19f8fba63700830d8|SHA1=6bfeac43be3ebd8d95a5eba963e18d97d76d2b05|SHA1=2ae1456bb0fa5a016954b03967878fb6db4d81eb|SHA1=63f9ee1e7aefd961cf36eeffd455977f1b940f6c|SHA1=ac13941f436139b909d105ad55637e1308f49d9a|SHA1=baa94f0f816d7a41a63e7f1aa9dd3d64a9450ed0|SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65|SHA1=bff4c3696d81002c56f473a8ab353ef0e45854c0|SHA1=64df813dc0774ef57d21141dcb38d08059fd8660|SHA1=bdfb1a2b08d823009c912808425b357d22480ecc|SHA1=470633a3a1e1b1f13c3f6c5192ce881efd206d7c|SHA1=65f6a4a23846277914d90ba6c12742eecf1be22d|SHA1=ed40c1f7da98634869b415530e250f4a665a8c48|SHA1=1ab702c495cb7832d4cc1ff896277fa56ed8f30d|SHA1=684786de4b3b3f53816eae9df5f943a22c89601f|SHA1=b3b523504af5228c49060ec8dea9f8adce05e117|SHA1=108575d8f0b98fed29514a54052f7bf5a8cb3ff0|SHA1=8fafd70bae94bbc22786c9328ee9126fed54dbae|SHA1=d3b23a0b70d6d279abd8db109f08a8b0721ce327|SHA1=190ec384e6eb1dafca80df05055ead620b2502ba|SHA1=6b25acbcb41a593aca6314885572fc22d16582a2|SHA1=341225961c15a969c62de38b4ec1938f65fda178|SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326|SHA1=5812387783d61c6ab5702213bb968590a18065e3|SHA1=e700fcfae0582275dbaee740f4f44b081703d20d|SHA1=a2167b723dfb24bf8565cbe2de0ecce77307fb9e|SHA1=7cf7644e38746c9be4537b395285888d5572ae1b|SHA1=3b8ddf860861cc4040dea2d2d09f80582547d105|SHA1=1a17cc64e47d3db7085a4dc365049a2d4552dc8a|SHA1=9b3f57693f0f69d3729762d59a10439e738b9031|SHA1=63bb17160115f16b3fca1f028b13033af4e468c6|SHA1=631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8|SHA1=06ec56736c2fc070066079bb628c17b089b58f6c|SHA1=d1ba4c95697a25ec265a3908acbff269e29e760c|SHA1=e40182c106f6f09fd79494686329b95477d6beb5|SHA1=c74f6293be68533995e4b95469e6dddedd1c3905|SHA1=ec457a53ea03287cbbd1edcd5f27835a518ef144|SHA1=1a01f3bdbfae4f8111674068a001aaf3363f21ea|SHA1=ce1d0ebaeaa4fe3ecb49242f1e80bc7a4e43fd8c|SHA1=f77413ec3bd9ed3f31fc53a4c755dc4123e0068f|SHA1=17614fdee3b89272e99758983b99111cbb1b312c|SHA1=8b63eb0f5dbb844ee5f6682f0badef872ae569bf|SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60|SHA1=c8674fe95460a37819e06d9df304254931033ca7|SHA1=273634ac170d1a6abd32e0db597376a6f62eb59e|SHA1=dd4cd182192b43d4105786ba87f55a036ec45ef2|SHA1=f9eb4c942a89b4ba39d2bdbfd23716937ccb9925|SHA1=94144619920bd086028bb5647b1649a35438028c|SHA1=2871a631f36cd1ea2fd268036087d28070ef2c52|SHA1=57cf65b024d9e2831729def42db2362d7c90dcfa|SHA1=d3daa971580b9f94002f7257de44fcef13bb1673|SHA1=8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb|SHA1=756fd2b82bf92538786b1bd283c6ef2f9794761e|SHA1=c775ca665ed4858acc3f7e75e025cbbda1f8c687|SHA1=a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae|SHA1=085c0ea6980cb93a3afa076764b7866467ac987c|SHA1=09f117d83f2f206ee37f1eb19eea576a0ac9bdcc|SHA1=c41ff2067634a1cce6b8ec657cdfd87e7f6974e3|SHA1=ddec18909571a9d5992f93636628756b7aa9b9a2|SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2|SHA1=06ec62c590ca0f1f2575300c151c84640d2523c0|SHA1=f95b59cab63408343ecbdb0e71db34e83f75b503|SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a|SHA1=9360774a37906e3b3c9fab39721cb9400dd31c46|SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131|SHA1=dc393d30453daa1f853f47797e48c142ac77a37b|SHA1=b70321d078f2e9c9826303bdc87ba9b7be290807|SHA1=4cd5bf02edf6883a08dfed7702267612e21ed56e|SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1|SHA1=296757d5663290f172e99e60b9059f989cba4c4e|SHA1=0caf4e86b14aaab7e10815389fcd635988bc6637|SHA1=449ff4f5ce2fdddac05a6c82e45a7e802b1c1305|SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce|SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab|SHA1=4818d7517054d5cba38b679bdf7f8495fd152729|SHA1=47df454cb030c1f4f7002d46b1308a32b03148e7|SHA1=28fa0e9429af24197134306b6c7189263e939136|SHA1=186b6523e8e2fa121d6d3b8cb106e9a5b918af4f|SHA1=9dbd255ee29be0e552f7f5f30d6ffb97e6cd0b0d|SHA1=76a756cc61653abcadd63db4a74c48d92607a861|SHA1=15df139494d2c40a645fb010908551185c27f3c5|SHA1=64879accdb4dbbaac55d91185c82f2b193f0c869|SHA1=55777e18eb95b6c9c3e6df903f0ac36056fa83da|SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5|SHA1=135b261eb03e830c57b1729e3a4653f9c27c7522|SHA1=deaf7d0c934cc428981ffa5bf528ca920bc692dc|SHA1=309a799f1a00868ab05cdbb851b3297db34d9b0d|SHA1=d5beca70469e0dcb099ba35979155e7c91876fd2|SHA1=376d59d0b19905ebb9b89913a5bdfacde1bd5a1e|SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2|SHA1=dfd801b6c2715f5525f8ffb38e3396a5ad9b831d|SHA1=92befb8b3d17bd3f510d09d464ec0131f8a43b8f|SHA1=b671677079bf7c660579bee08b8875a48ff61896|SHA1=0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c|SHA1=bca4bbe4388ebeb834688e97fac281c09b0f3ac1|SHA1=0b3836d5d98bc8862a380aae19caa3e77a2d93ef|SHA1=b394f84e093cb144568e18aaf5b857dff77091fa|SHA1=7329bb4a7ca98556fa6b05bd4f9b236186e845d1|SHA1=0307d76750dd98d707c699aee3b626643afb6936|SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a|SHA1=2740cd167a9ccb81c8e8719ce0d2ae31babc631c|SHA1=77a011b5d5d5aaf421a543fcee22cb7979807c60|SHA1=a197a02025946aca96d6e74746f84774df31249e|SHA1=82ba5513c33e056c3f54152c8555abf555f3e745|SHA1=c71597c89bd8e937886e3390bc8ac4f17cdeae7c|SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2|SHA1=e71caa502d0fe3a7383ce26285a6022e63acda97|SHA1=446130c61555e5c9224197963d32e108cd899ea0|SHA1=218e4bbdd5ce810c48b938307d01501c442b75f4|SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de|SHA1=0cb14c1049c0e81c8655ab7ee7d698c11758ea06|SHA1=f3c20ce4282587c920e9ff5da2150fac7858172e|SHA1=dd49a71f158c879fb8d607cc558b507c7c8bc5b9|SHA1=7d34bb240cb5dec51ffcc7bf062c8d613819ac30|SHA1=0b01c4c1f18d72eb622be2553114f32edfe7b7aa|SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b|SHA1=4186ac693003f92fdf1efbd27fb8f6473a7cc53e|SHA1=01b95ae502aa09aabc69a0482fcc8198f7765950|SHA1=4c18754dca481f107f0923fb8ef5e149d128525d|SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda|SHA1=c614ab686e844c7a7d2b20bc7061ab15290e2cfd|SHA1=2cf75df00c69d907cfe683cb25077015d05be65d|SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6|SHA1=a528cdeed550844ca7d31c9e231a700b4185d0da|SHA1=8ec28d7da81cf202f03761842738d740c0bb2fed|SHA1=e606282505af817698206672db632332e8c3d3ff|SHA1=47830d6d3ee2d2a643abf46a72738d77f14114bc|SHA1=57ea07ab767f11c81c6468b1f8a3d5f4618b800b|SHA1=34b0f1b2038a1572ee6381022a24333357b033c4|SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697|SHA1=a14d96b65d3968181d57b57ee60c533cb621b707|SHA1=cd248648eafca6ef77c1b76237a6482f449f13be|SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08|SHA1=64ff172bafc33f14ca5f2e35f9753d41e239a5e4|SHA1=74bf2ec32cb881424a79e99709071870148d242d|SHA1=943593e880b4d340f2548548e6e673ef6f61eed3|SHA1=3c81cdfd99d91c7c9de7921607be12233ed0dfd8|SHA1=c1a5aacf05c00080e04d692a99c46ab445bf8b6e|SHA1=1768fb2b4796f624fa52b95dfdfbfb922ac21019|SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d|SHA1=6df6d5b30d04b9adb9d2c99de18ed108b011d52b|SHA1=8589a284f1a087ad5b548fb1a933289781b4cedc|SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c|SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0|SHA1=f5bafebfbfb67a022452870289ac7849e9ee1f61|SHA1=5965ca5462cd9f24c67a1a1c4ef277fab8ea81d3|SHA1=804013a12f2f6ba2e55c4542cbdc50ca01761905|SHA1=30c6e1da8745c3d53df696af407ef095a8398273|SHA1=2fed7eddd63f10ed4649d9425b94f86140f91385|SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d|SHA1=5ce273aa80ed3b0394e593a999059096682736ae|SHA1=36397c6879978223ba52acd97da99e8067ab7f05|SHA1=8a23735d9a143ad526bf73c6553e36e8a8d2e561|SHA1=2f991435a6f58e25c103a657d24ed892b99690b8|SHA1=f2ce790bf47b01a7e1ef5291d8fa341d5f66883a|SHA1=f52c2d897fa00910d5566503dd5a297970f13dc6|SHA1=256d285347acd715ed8920e41e5ec928ae9201a8|SHA1=58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c|SHA1=55d84fd3e5db4bdbd3fb6c56a84b6b8a320c7c58|SHA1=a71c17bfeefd76a9f89e74a52a2b6fdd3efbabe2|SHA1=83b5e60943a92050fccb8acef7aa464c8f81d38e|SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67|SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5|SHA1=9db1585c0fab6a9feb411c39267ac4ad29171696|SHA1=2eddb10eecef740ec2f9158fa39410ec32262fc3|SHA1=ad60e40a148accec0950d8d13bf7182c2bd5dfef|SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347|SHA1=5a7bcb1864d1e8ecde0b58d21b98518ca4b2f1f2|SHA1=d6de8983dbd9c4c83f514f4edf1ac7be7f68632f|SHA1=07f60b2b0e56cb15aad3ca8a96d9fe3a91491329|SHA1=6b90a6eeef66bb9302665081e30bf9802ca956cc|SHA1=634b1e9d0aafac1ec4373291cefb52c121e8d265|SHA1=af50109b112995f8c82be8ef3a88be404510cdde|SHA1=ec04d8c814f6884c009a7b51c452e73895794e64|SHA1=fdf4a0af89f0c8276ad6d540c75beece380703ab|SHA1=76046978d8e4409e53d8126a8dcfc3bf8602c37f|SHA1=13df48ab4cd412651b2604829ce9b61d39a791bb|SHA1=cb25d537f4e2872e5fcbd893da8ce3807137df80|SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256|SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3|SHA1=c1fe7870e202733123715cacae9b02c29494d94d|SHA1=9c256edd10823ca76c0443a330e523027b70522d|SHA1=079627e0f5b1ad1fb3fe64038a09bc6e8b8d289d|SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b|SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb|SHA1=3f338ab65bac9550b8749bb1208edb0f7d7bcb81|SHA1=723fd9dd0957403ed131c72340e1996648f77a48|SHA1=e0d83953a9efef81ba0fa9de1e3446b6f0a23cc6|SHA1=1d5d2c5853619c25518ba0c55fd7477050e708fb|SHA1=838823f25436cadc9a145ddac076dce3e0b84d96|SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4|SHA1=363068731e87bcee19ad5cb802e14f9248465d31|SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4|SHA1=0d8a832b9383fcdc23e83487b188ddd30963ca82|SHA1=db6170ee2ee0a3292deceb2fc88ef26d938ebf2d|SHA1=a9ea84ee976c66977bb7497aa374bba4f0dd2b27|SHA1=7859e75580570e23a1ef7208b9a76f81738043d5|SHA1=e067024ec42b556fb1e89ca52ef6719aa09cdf89|SHA1=0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc|SHA1=54a4772212da2025bd8fb2dc913e1c4490e7a0cd|SHA1=68ca9c27131aa35c7f433dc914da74f4b3d8793f|SHA1=468e2e5505a3d924b14fedee4ddf240d09393776|SHA1=cc3e5e45aca5b670035dfb008f0a88cecfd91cf7|SHA1=8d676504c2680cf71c0c91afb18af40ea83b6c22|SHA1=ba5b4eaa7cab012b71a8a973899eeee47a12becc|SHA1=1901467b6f04a93b35d3ca0727c8a14f3ce3ed52|SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c|SHA1=116679c4b2cca6ec69453309d9d85d3793cbe05f|SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e|SHA1=e702221d059b86d49ed11395adffa82ef32a1bce|SHA1=dd085542683898a680311a0d1095ea2dffe865e2|SHA1=69849d68d1857c83b09e1956a46fe879260d2aab|SHA1=a23a0627297a71a4414193e12a8c074e7bbb8a2e|SHA1=91530e1e1fb25a26f3e0d6587200ddbaecb45c74|SHA1=247065af09fc6fd56b07d3f5c26f555a5ccbfda4|SHA1=e840904ce12cc2f94eb1ec16b0b89e2822c24805|SHA1=e5bfb18f63fcfb7dc09b0292602112ea7837ef7a|SHA1=dc6e62dbde5869a6adc92253fff6326b6af5c8d4|SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb|SHA1=40dba13a059679401fcaf7d4dbe80db03c9d265c|SHA1=acb5d7e182a108ee02c5cb879fc94e0d6db7dd68|SHA1=543933cce83f2e75d1b6a8abdb41199ddef8406c|SHA1=0f2fdfb249c260c892334e62ab77ac88fcb8b5e4|SHA1=81a319685d0b6112edee4bc25d14d6236f4e12da|SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26|SHA1=488b20ed53c2060c41b9a0cac1efb39a888df7c5|SHA1=e1069365cb580e3525090f2fa28efd4127223588|SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7|SHA1=67dfd415c729705396ce54166bd70faf09ac7f10|SHA1=c8ec23066a50800d42913d5e439700c5cd6a2287|SHA1=07f62d9b6321bed0008e106e9ce4240cb3f76da2|SHA1=a57eefa0c653b49bd60b6f46d7c441a78063b682|SHA1=a4ae87b7802c82dfb6a4d26ab52788410af98532|SHA1=bc949bc040333fdc9140b897b0066ef125343ef6|SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75|SHA1=6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92|SHA1=a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2|SHA1=51b60eaa228458dee605430aae1bc26f3fc62325|SHA1=054a50293c7b4eea064c91ef59cf120d8100f237|SHA1=844d2345bde50bf8ee7e86117cf7b8c6e6f00be4|SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3|SHA1=d0452363b41385f6a6778f970f3744dde4701d8f|SHA1=d72de7e8f0118153dd5cf784f724e725865fc523|SHA1=340ce5d8859f923222bea5917f40c4259cce1bbc|SHA1=e1bf5dd17f84bce3b2891dffa855d81a21914418|SHA1=e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8|SHA1=0e1df95042081fa2408782f14ce483f0db19d5ab|SHA1=d2fb46277c36498e87d0f47415b7980440d40e3d|SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463|SHA1=4a887ae6b773000864f9228800aab75e6ff34240|SHA1=283c7dc5b029dbc41027df16716ec12761a53df8|SHA1=dcdc9b2bc8e79d44846086d0d482cb7c589f09b8|SHA1=ec8c0b2f49756b8784b3523e70cd8821b05b95eb|SHA1=16c6bcef489f190a48e9d3b1f35972db89516479|SHA1=ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c|SHA1=7c625de858710d3673f6cb0cd8d0643d5422c688|SHA1=faa61346430aedc952d820f7b16b973c9bf133c3|SHA1=1e959d6ae22c4d9fa5613c3a9d3b6e1b472be05d|SHA1=f18e669127c041431cde8f2d03b15cfc20696056|SHA1=1de9f25d189faa294468517b15947a523538ce9d|SHA1=d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793|SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a|SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2|SHA1=4786253daac6c60ffc0d2871fdd68023ec93dfb3|SHA1=ea58d72db03df85b04d1412a9b90d88ba68ab43d|SHA1=48a09ca5fdbc214e675083c2259e051b0629457b|SHA1=ea63567ea8d168cb6e9aae705b80a09f927b2f77|SHA1=8347487b32b993da87275e3d44ff3683c8130d33|SHA1=4471935df0e68fe149425703b66f1efca3d82168|SHA1=eaddeefe13bca118369faf95eee85b0a2a553221|SHA1=98600e919b8579d89e232a253d7277355b652750|SHA1=444a2b778e2fc26067c49dde0aff0dcfb85f2b64|SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741|SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0|SHA1=6210dabb908cc750379cc7563beb884b3895e046|SHA1=22c08d67bf687bf7ddd57056e274cbbbdb647561|SHA1=1a8b737dff81aa9e338b1fce0dc96ee7ee467bd5|SHA1=a9b8d7afa2e4685280aebbeb162600cfce4e48c8|SHA1=8800a33a37c640922ce6a2996cd822ed4603b8bb|SHA1=4f94789cffb23c301f93d6913b594748684abf6a|SHA1=511b06898770337609ee065547dbf14ce3de5a95|SHA1=c32e6cddc7731408c747fd47af3d62861719fd7b|SHA1=a93197c8c1897a95c4fb0367d7451019ae9f3054|SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb|SHA1=a59006308c4b5d33bb8f34ac6fb16701814fb8dc|SHA1=3e917f0986802d47c0ffe4d6f5944998987c4160|SHA1=b406920634361f4b7d7c1ec3b11bb40872d85105|SHA1=9ec6f54c74bcc48e355226c26513a7240fd9462d|SHA1=79f1a6f5486523e6d8dcfef696bc949fc767613d|SHA1=dce4322406004fc884d91ed9a88a36daca7ae19a|SHA1=dbe26c67a4cabba16d339a1b256ca008effcf6c8|SHA1=9f5453c36aa03760d935e062ac9e1f548d14e894|SHA1=da361c56c18ea98e1c442aac7c322ff20f64486b|SHA1=14c9cd9e2cf2b0aae56c46ff9ad1c89a8a980050|SHA1=21e6c104fe9731c874fab5c9560c929b2857b918|SHA1=ef80da613442047697bec35ea228cde477c09a3d|SHA1=c834c4931b074665d56ccab437dfcc326649d612|SHA1=aa2ea973bb248b18973e57339307cfb8d309f687|SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614|SHA1=977fd907b6a2509019d8ef4f6213039f2523f2b5|SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f|SHA1=a45687965357036df17b8ff380e3a43a8fbb2ca9|SHA1=59aead65b240a163ad47b2d1cf33cdb330608317|SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f|SHA1=ddd36f96f5a509855f55eed9eb4cba9758d6339a|SHA1=a838303cda908530ef124f8d6f7fb69938b613bc|SHA1=84d44e166072bccf1f8e1e9eb51880ffa065a274|SHA1=88d00eff21221f95a0307da229bc9fe1afb6861b|SHA1=9ca90642cff9ca71c7022c0f9dfd87da2b6a0bff|SHA1=a98734cd388f5b4b3caca5ce61cb03b05a8ad570|SHA1=bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0|SHA1=ce5681896e7631b6e83cccb7aa056a33e72a1bbe|SHA1=0634878c3f6048a38ec82869d7c6df2f69f3e210|SHA1=eacfc73f5f45f229867ee8b2eb1f9649b5dd422e|SHA1=dc8fa4648c674e3a7148dd8e8c35f668a3701a52|SHA1=02316decf9e5165b431c599643f6856e86b95e7c|SHA1=cc3186debacb98e0b0fb40ad82816bea10741099|SHA1=87f313fc30ec8759b391e9d6c08f79b02f3ecebd|SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e|SHA1=62fdb0b43c56530a6a0ba434037d131f236d1266|SHA1=5088c71a740ef7c4156dcaa31e543052fe226e1c|SHA1=64d0447cbb0d6a45010b94eb9d5b0b90296edcbf|SHA1=0aecdc0b8208b81b0c37eef3b0eaea8d8ebef42e|SHA1=2fe874274bac6842819c1e9fe9477e6d5240944d|SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd|SHA1=ba0938512d7abab23a72279b914d0ea0fb46e498|SHA1=3d8cc9123be74b31c597b0014c2a72090f0c44ef|SHA1=1f1ce28c10453acbc9d3844b4604c59c0ab0ad46|SHA1=724dde837df2ff92b3ea7026fe8a0c4e5773898f|SHA1=8ab7e9ba3c26bcd5d6d0646c6d2b2693e22aac1c|SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332|SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9|SHA1=bea745b598dd957924d3465ebc04c5b830d5724f|SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3|SHA1=99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4|SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d|SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8|SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2|SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809|SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299|SHA1=43f53a739eda1e58f470e8e9ff9aa1437e5d9546|SHA1=879e92a7427bdbcc051a18bbb3727ac68154e825|SHA1=be270d94744b62b0d36bef905ef6296165ffcee9|SHA1=108439a4c4508e8dca659905128a4633d8851fd9|SHA1=fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1|SHA1=343ec3073fc84968e40a145dc9260a403966bcb4|SHA1=0d9c77aca860a43cca87a0c00f69e2ab07ab0b67|SHA1=c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab|SHA1=bd3e1d5aacac6406a7bcea3b471bbfa863efbc3d|SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe|SHA1=53a194e1a30ed9b2d3acd87c2752cfa6645eea76|SHA1=06ecf73790f0277b8e27c8138e2c9ad0fc876438|SHA1=a22c111045b4358f8279190e50851c443534fc24|SHA1=d2c7aa9b424015f970fe7506ae5d1c69a8ac11f6|SHA1=2eeab9786dac3f5f69e642f6e29f4e4819038551|SHA1=8ea50d7d13ff2d1306fed30a2d136dd6245eb3bc|SHA1=490109fa6739f114651f4199196c5121d1c6bdf2|SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef|SHA1=66e95daee3d1244a029d7f3d91915f1f233d1916|SHA1=175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a|SHA1=0536c9f15094ca8ddeef6dec75d93dc35366d8a9|SHA1=65886384708d5a6c86f3c4c16a7e7cdbf68de92a|SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4|SHA1=25d812a5ece19ea375178ef9d60415841087726e|SHA1=24b47ba7179755e3b12a59d55ae6b2c3d2bd1505|SHA1=a547c5b1543a4c3a4f91208d377a2b513088f4a4|SHA1=604870e76e55078dfb8055d49ae8565ed6177f7c|SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc|SHA1=962e2ac84c28ed5e373d4d4ccb434eceee011974|SHA1=94b014123412fbe8709b58ec72594f8053037ae9|SHA1=c969f1f73922fd95db1992a5b552fbc488366a40|SHA1=6dac7a8fa9589caae0db9d6775361d26011c80b2|SHA1=cd7b0c6b6ef809e7fb1f68ba36150eceabe500f7|SHA1=1d2ab091d5c0b6e5977f7fa5c4a7bfb8ea302dc7|SHA1=729a8675665c61824f22f06c7b954be4d14b52c4|SHA1=814200191551faec65b21f5f6819b46c8fc227a3|SHA1=59c0fa0d61576d9eb839c9c7e15d57047ee7fe29|SHA1=48be0ec2e8cb90cac2be49ef71e44390a0f648ce|SHA1=0e030cf5e5996f0778452567e144f75936dc278f|SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee|SHA1=6cc28df318a9420b49a252d6e8aaeda0330dc67d|SHA1=59e6effdb23644ca03e60618095dc172a28f846e|SHA1=df177a0c8c1113449f008f8e833105344b419834|SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4|SHA1=c0a8e45e57bb6d82524417d6fb7e955ab95621c0|SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8|SHA1=363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8|SHA1=53f7a84a8cebe0e3f84894c6b9119466d1a8ddaf|SHA1=7ee65bedaf7967c752831c83e26540e65358175e|SHA1=e525f54b762c10703c975132e8fc21b6cd88d39b|SHA1=3a1f19b7a269723e244756dac1fc27c793276fe7|SHA1=d6b61c685cfaa36c85f1672ac95844f8293c70d0|SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946|SHA1=96523f72e4283f9816d3da8f2270690dd1dd263e|SHA1=5db61d00a001fd493591dc919f69b14713889fc5|SHA1=b3c111d7192cfa8824e5c9b7c0660c37978025d6|SHA1=49b1e6a922a8d2cb2101c48155dfc08c17d09341|SHA1=282fca60f0c37eb6d76400bca24567945e43c6d8|SHA1=2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8|SHA1=4692730f6b56eeb0399460c72ade8a15ddd43a62|SHA1=fe10018af723986db50701c8532df5ed98b17c39|SHA1=b34fc245d561905c06a8058753d25244aaecbb61|SHA1=2ade3347df84d6707f39d9b821890440bcfdb5e9|SHA1=5e9538d76b75f87f94ca5409ae3ddc363e8aba7f|SHA1=5a69d921926ef0abf03757edf22c0d8d30c15d4b|SHA1=986c1fdfe7c9731f4de15680a475a72cf2245121|SHA1=42eb220fdfb76c6e0649a3e36acccbdf36e287f1|SHA1=7192e22e0f8343058ec29fb7b8065e09ce389a5b|SHA1=b2b01c728e0e8ef7b2e9040d6db9828bd4a5b48d|SHA1=b99a5396094b6b20cea72fbf0c0083030155f74e|SHA1=628e63caf72c29042e162f5f7570105d2108e3c2|SHA1=1fb12c5db2acad8849677e97d7ce860d2bb2329e|SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13|SHA1=46be4e6cd8117ac13531bff30edcf564f39bcc52|SHA1=377f7e7382908690189aede31fcdd532baa186b5|SHA1=5b4619596c89ed17ccbe92fd5c0a823033f2f1e1|SHA1=bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c|SHA1=ca33c88cd74e00ece898dca32a24bdfcacc3f756|SHA1=7d1ff4096a75f9fcc67c7c9c810d99874c096b6b|SHA1=1a83c8b63d675c940aaec10f70c0c7698e9b0165|SHA1=f8e88630dae53e0b54edefdefa36d96c3dcbd776|SHA1=e33eac9d3b9b5c0db3db096332f059bf315a2343|SHA1=5635bb2478929010693bc3b23f8b7fe5fdbc3aed|SHA1=3fd7fda9c7dfdb2a845c39971572bd090bee3b1d|SHA1=3e790c4e893513566916c76a677b0f98bd7334dd|SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939|SHA1=5ca6a52230507b1dffab7acd501540bc10f1ab81|SHA1=820d339fd3dbb632a790d6506ddf6aee925fcffe|SHA1=0ac0c21ca05161eaa6a042f347391a2a2fc78c96|SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe|SHA1=4f077a95908b154ea12faa95de711cb44359c162|SHA1=29a190727140f40cea9514a6420f5a195e36386b|SHA1=dbf3abdc85d6a0801c4af4cd1b77c44d5f57b03e|SHA1=de0c16e3812924212f04e15caa09763ae4770403|SHA1=3b1f1e96fc8a7eb93b14b1213f797f164a313cee|SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d|SHA1=4c021c4a5592c07d4d415ab11b23a70ba419174b|SHA1=9d191bee98f0af4969a26113098e3ea85483ae2d|SHA1=ac31d15851c0af14d60cfce23f00c4b7887d3cb7|SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac|SHA1=5f8ae70b25b664433c6942d5963acadf2042cfe8|SHA1=a37616f0575a683bd81a0f49fadbbc87e1525eba|SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53|SHA1=c22c28a32a5e43a76514faf4fac14d135e0d4ffd|SHA1=7c996d9ef7e47a3b197ff69798333dc29a04cc8a|SHA1=cb0bc86d437ab78c1fbefdaf1af965522ebdd65d|SHA1=4a1a499857accc04b4d586df3f0e0c2b3546e825|SHA1=c3a893680cd33706546a7a3e8fbcc4bd063ce07e|SHA1=df58f9b193c6916aaec7606c0de5eba70c8ec665|SHA1=fc69138b9365fa60e21243369940c8dcfcca5db1|SHA1=3fbe337b6ed1a1a63ae8b4240c01bd68ed531674|SHA1=07c244739803f60a75d60347c17edc02d5d10b5d|SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1|SHA1=6e191d72b980c8f08a0f60efa01f0b5bf3b34afb|SHA1=d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9|SHA1=5cfec6aa4842e5bafff23937f5efca71f21cf7ca|SHA1=def86c7dee1f788c717ac1917f1b5bbfada25a95|SHA1=c22dc62e10378191840285814838fe9ed1af55d7|SHA1=58b31fb2b623bd2c5d5c8c49b657a14a674664a4|SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77|SHA1=b62c5bae9c6541620379115a7ba0036ecfa19537|SHA1=585df373a9c56072ab6074afee8f1ec3778d70f8|SHA1=64ab599d34c26f53afe076a84c54db7ba1a53def|SHA1=f130e82524d8f5af403c3b0e0ffa4b64fedeec92|SHA1=bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6|SHA1=5499f1bca93a3613428e8c18ac93a93b9a7249fb|SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181|SHA1=2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28|SHA1=1da0c712ff42bd9112ac6afadb7c4d3ae2f20fb7|SHA1=ef8de780cfe839ecf6dc0dc161ae645bff9b853c|SHA1=feb8e6e7419713a2993c48b9758c039bd322b699|SHA1=d9b05c5ffc5eddf65186ba802bb1ece0249cab05|SHA1=08596732304351b311970ff96b21f451f23b1e25|SHA1=687b8962febbbea4cf6b3c11181fd76acb7dfd5a|SHA1=9d0b824892fbfb0b943911326f95cd0264c60f7d|SHA1=2ed4b51429b0a3303a645effc84022512f829836|SHA1=1a40773dc430d7cb102710812b8c61fc51dfb79b|SHA1=4f7a8e26a97980544be634b26899afbefb0a833c|SHA1=983a8d4b1cb68140740a7680f929d493463e32e3|SHA1=c4b6e2351a72311a6e8f71186b218951a27fb97f|SHA1=6b090c558b877b6abb0d1051610cadbc6335ecbb|SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2|SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705|SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e|SHA1=27aa3f1b4baccd70d95ea75a0a3e54e735728aa2|SHA1=005ac9213a8a4a6c421787a7b25c0bc7b9f3b309|SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162|SHA1=c1777fcb7005b707f8c86b2370f3278a8ccd729f|SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b|SHA1=cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c|SHA1=0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0|SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c|SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb|SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a|SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af|SHA1=19bf65bdd9d77f54f1e8ccf189dc114e752344b0|SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15|SHA1=9f22ebcd2915471e7526f30aa53c24b557a689f5|SHA1=562368c390b0dadf2356b8b3c747357ecef2dfc8|SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d|SHA1=03a56369b8b143049a6ec9f6cc4ef91ac2775863|SHA1=82034032b30bbb78d634d6f52c7d7770a73b1b3c|SHA1=3059bc49e027a79ff61f0147edbc5cd56ad5fc2d|SHA1=af5f642b105d86f82ba6d5e7a55d6404bfb50875|SHA1=f86ae53eb61d3c7c316effe86395a4c0376b06db|SHA1=3fd55927d5997d33f5449e9a355eb5c0452e0de3|SHA1=d942dac4033dcd681161181d50ce3661d1e12b96|SHA1=dd55015f5406f0051853fd7cca3ab0406b5a2d52|SHA1=336ed563ef96c40eece92a4d13de9f9b69991c8a|SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a|SHA1=ada23b709cb2bef8bedd612dc345db2e2fdbfaca|SHA1=bd421ffdcc074ecca954d9b2c2fbce9301e9a36c|SHA1=42f6bfcf558ef6da9254ed263a89abf4e909b5d5|SHA1=9eef72e0c4d5055f6ae5fe49f7f812de29afbf37|SHA1=007b2c7d72a5a89b424095dbb7f67ff2aeddb277|SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35|SHA1=35a817d949b2eab012506bed0a3b4628dd884471|SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c|SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03|SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6|SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260|SHA1=34ec04159d2c653a583a73285e6e2ac3c7b416dd|SHA1=4f30f64b5dfcdc889f4a5e25b039c93dd8551c71|SHA1=13572d36428ef32cfed3af7a8bb011ee756302b0|SHA1=17d28a90ef4d3dbb083371f99943ff938f3b39f6|SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77|SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea|SHA1=c8a4a64b412fd8ef079661db4a4a7cd7394514ca|SHA1=24343ec4dfec11796a8800a3059b630e8be89070|SHA1=a55b709cec2288384b12eafa8be4930e7c075ec9|SHA1=5853e44ea0b6b4e9844651aa57d631193c1ed0f0|SHA1=e3266b046d278194ade4d8f677772d0cb4ecfaf1|SHA1=717669a1e2380cb61cc4e34618e118cc9cabbcd0|SHA1=0adc1320421f02f2324e764aa344018758514436|SHA1=7e900b0370a1d3cb8a3ea5394d7d094f95ec5dc0|SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59|SHA1=68b97bfaf61294743ba15ef36357cdb8e963b56e|SHA1=e0d12e44db3f57ee7ea723683a6fd346dacf2e3e|SHA1=31529d0e73f7fbfbe8c28367466c404c0e3e1d5a|SHA1=04967bfd248d30183992c6c9fd2d9e07ae8d68ad|SHA1=4d14d25b540bf8623d09c06107b8ca7bb7625c30|SHA1=01779ee53f999464465ed690d823d160f73f10e7|SHA1=e83fc2331ae1ea792b6cff7e970f607fee7346be|SHA1=c8864c0c66ea45011c1c4e79328a3a1acf7e84a9|SHA1=a92207062fb72e6e173b2ffdb12c76834455f5d3|SHA1=6e58421e37c022410455b1c7b01f1e3c949df1cd|SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b|SHA1=4885cd221fa1ea330b9e4c1702be955d68bd3f6a|SHA1=f7413250e7e8ad83c350092d78f0f75fcca9f474|SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8|SHA1=970af806aa5e9a57d42298ab5ffa6e0d0e46deda|SHA1=fe02ae340dc7fe08e4ad26dab9de418924e21603|SHA1=85941b94524da181be8aad290127aa18fc71895c|SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d|SHA1=9cc694dcb532e94554a2a1ef7c6ced3e2f86ef5a|SHA1=398e8209e5c5fdcb6c287c5f9561e91887caca7d|SHA1=4e56e0b1d12664c05615c69697a2f5c5d893058a|SHA1=ee877b496777763e853dd81fefd0924509bc5be0|SHA1=3f347117d21cd8229dd99fa03d6c92601067c604|SHA1=61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799|SHA1=7ce978092fadbef44441a5f8dcb434df2464f193|SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748|SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b|SHA1=91d026cd98de124d281fd6a8e7c54ddf6b913804|SHA1=db006fa522142a197686c01116a6cf60e0001ef7|SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57|SHA1=089411e052ea17d66033155f77ae683c50147018|SHA1=263181bc8c2c6af06b9a06d994e4b651c3ab1849|SHA1=30e7258a5816a6db19cdda2b2603a8c3276f05c2|SHA1=96047b280e0d6ddde9df1c79ca5f561219a0370d|SHA1=c6bd965300f07012d1b651a9b8776028c45b149a|SHA1=4c6ec22bc10947d089167b19d83a26bdd69f0dd1|SHA1=ccd547ef957189eddb6ee213e5e0136e980186f9|SHA1=8d3be83cf3bb36dbce974654b5330adb38792c2d|SHA1=d0216ebc81618c22d9d51f2f702c739625f40037|SHA1=18f34a0005e82a9a1556ba40b997b0eae554d5fd|SHA1=3784d1b09a515c8824e05e9ea422c935e693080c|SHA1=5c94c8894799f02f19e45fcab44ee33e653a4d17|SHA1=88839168e50a4739dd4193f2d8f93a30cd1f14d8|SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c|SHA1=5742ad3d30bd34c0c26c466ac6475a2b832ad59e|SHA1=d452fc8541ed5e97a6cbc93d08892c82991cdaad|SHA1=eac1b9e1848dc455ed780292f20cd6a0c38a3406|SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c|SHA1=d48757b74eff02255f74614f35aa27abbe3f72c7|SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9|SHA1=08efd5e24b5ebfef63b5e488144dc9fb6524eaf1|SHA1=cb212a826324909fdedd2b572a59a5be877f1d7d|SHA1=b0aede5a66e13469c46acbc3b01ccf038acf222c|SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e|SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430|SHA1=75d0b9bdfa79e5d43ec8b4c0996f559075723de7|SHA1=1bd4ae9a406bf010e34cdd38e823f732972b18e3|SHA1=b74338c91c6effabc02ae0ced180428ab1024c7d|SHA1=6679cb0907ade366cf577d55be07eabc9fb83861|SHA1=6ce0094a9aacdc050ff568935014607b8f23ff00|SHA1=f7b3457a6fd008656e7216b1f09db2ff062f1ca4|SHA1=89656051126c3e97477a9985d363fbdde0bc159e|SHA1=1ecb7b9658eb819a80b8ebdaa2e69f0d84162622|SHA1=aaaf565fa30834aba3f29a97fc58d15e372500b5|SHA1=b49ac8fefc6d1274d84fef44c1e5183cc7accba1|SHA1=9f2b550c58c71d407898594b110a9320d5b15793|SHA1=3f6a997b04d2299ba0e9f505803e8d60d0755f44|SHA1=ec0c3c61a293a90f36db5f8ed91cbf33c2b14a19|SHA1=d73dabcb3f55935b701542fd26875006217ebbbe|SHA1=dda8c7e852fe07d67c110dab163354a2a85f44a5|SHA1=643383938d5e0d4fd30d302af3e9293a4798e392|SHA1=9e8a87401dc7cc56b3a628b554ba395b1868520f|SHA1=35b28b15835aa0775b57f460d8a03e53dc1fb30f|SHA1=09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5|SHA1=9f6883e59fd6c136cfc556b7b388a4c363dc0516|SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312|SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676|SHA1=5abffd08f4939a0dee81a5d95cf1c02e2e14218c|SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410|SHA1=5eb693c9cc49c7d6a03f7960ddcfd8f468e5656b|SHA1=4518758452af35d593e0cae80d9841a86af6d3de|SHA1=da42cefde56d673850f5ef69e7934d39a6de3025|SHA1=c32dfdb0ee859de618484f3ab7a43ee1d9a25d1c|SHA1=471ca4b5bb5fe68543264dd52acb99fddd7b3c6d|SHA1=290d6376658cf0f8182de0fae40b503098fa09fd|SHA1=2bc9047f08a664ade481d0bbf554d3a0b49424ca|SHA1=1f84d89dd0ae5008c827ce274848d551aff3fc33|SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb|SHA1=cb5229acdf87493e45d54886e6371fc59fc09ee5|SHA1=2db49bdf8029fdcda0a2f722219ae744eae918b0|SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec|SHA1=24f6e827984cca5d9aa3e4c6f3c0c5603977795a|SHA1=db3debacd5f6152abd7a457d7910a0ec4457c0d7|SHA1=96323381a98790b8ffac1654cb65e12dbbe6aff1|SHA1=7241b25c3a3ee9f36b52de3db2fc27db7065af37|SHA1=3c956b524e73586195d704b874e36d49fe42cb6a|SHA1=fb25e6886d98fe044d0eb7bd42d24a93286266e0|SHA1=caa0cb48368542a54949be18475d45b342fb76e5|SHA1=4c16dcc7e6d7dd29a5f6600e50fc01a272c940e1|SHA1=1f3a9265963b660392c4053329eb9436deeed339|SHA1=b0c7ec472abf544c5524b644a7114cba0505951e|SHA1=622e7bffda8c80997e149ac11492625572e386e0|SHA1=4ffa89f8dbdade28813e12db035cf9bd8665ef72|SHA1=5fece994f2409810a0ad050b3ca9b633c93919e4|SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79|SHA1=2fa92d3739735bc9ac4dc38f42d909d97cc5c2a8|SHA1=fece30b9b862bf99ae6a41e49f524fe6f32e215e|SHA1=ae344c123ef6d206235f2a8448d07f86433db5a6|SHA1=ad1616ea6dc17c91d983e829aa8a6706e81a3d27|SHA1=c127c4d0917f54cee13a61c6c0029c95ae0746cf|SHA1=84341ed15d645c4daedcdd39863998761e4cb0e3|SHA1=fb4ce6de14f2be00a137e8dde2c68bb5b137ab9c|SHA1=22c905fcdd7964726b4be5e8b5a9781322687a45|SHA1=4927d843577bada119a17b249ff4e7f5e9983a92|SHA1=d083e69055556a36df7c6e02115cbbf90726f35c|SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf|SHA1=86e59b17272a3e7d9976c980ded939bf8bf75069|SHA1=eb0021e29488c97a0e42a084a4fe5a0695eccb7b|SHA1=388819a7048179848425441c60b3a8390ad04a69|SHA1=611411538b2bc9045d29bbd07e6845e918343e3c|SHA1=43011eb72be4775fec37aa436753c4d6827395d1|SHA1=18938e0d924ee7c0febdbf2676a099e828182c1c|SHA1=1743b073cccf44368dc83ed3659057eb5f644b06|SHA1=fb1570b4865083dfce1fcff2bd72e9e1b03cead5|SHA1=96c2e1d7c9a8ad242f8f478e871f645895d3e451|SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0|SHA1=70258117b5efe65476f85143fd14fa0b7f148adb|SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891|SHA1=24b3f962587b0062ac9a1ec71bcc3836b12306d2|SHA1=663803d7ab5aff28be37c2e7e8c7b98b91c5733e|SHA1=2739c2cfa8306e6f78c335c55639566b3d450644|SHA1=2027e5e8f2cfdfbd9081f99b65af4921626d77f9|SHA1=eb44a05f8bba3d15e38454bd92999a856e6574eb|SHA1=d7597d27eeb2658a7c7362193f4e5c813c5013e5|SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd|SHA1=1e6c2763f97e4275bba581de880124d64666a2fe|SHA1=19977d45e98b48c901596fb0a49a7623cee4c782|SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f|SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843|SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba|SHA1=8d0f33d073720597164f7321603578cd13346d1f|SHA1=229716e61f74db821d5065bac533469efb54867b|SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526|SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308|SHA1=469c04cb7841eedd43227facaf60a6d55cf21fd7|SHA1=722aa0fa468b63c5d7ea308d77230ae3169d5f83|SHA1=bfd8568f19d4273a1288726342d7620cc9070ae5|SHA1=17b3163aecd1f512f1603548ef6eb4947fbec95e|SHA1=ce549714a11bd43b52be709581c6e144957136ec|SHA1=a3224815aedc14bb46f09535e9b8ca7eaa4963bf|SHA1=ba0d6c596b78a1fc166747d7523ca6316ef87e9f|SHA1=f85f5e5d747433b274e53c8377bf24fbc08758b6|SHA1=2e9466d5a814c20403be7c7a5811039ca833bd5d|SHA1=3bb1dddb4157b6b8175fc6e1e7c33bef7870c500|SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816|SHA1=a958734d25865cbc6bcbc11090ab9d6b72799143|SHA1=11fcaeda49848474cee9989a00d8f29cb727acb7|SHA1=45328110873640d8fed9fc72f7d2eadd3d17ceae|SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc|SHA1=3fd5cd30085450a509eaa6367af26f6c4b9741b6|SHA1=f1b3bdc3beb2dca19940d53eb5a0aed85b807e30|SHA1=948fa3149742f73bf3089893407df1b20f78a563|SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c|SHA1=5eed0ce6487d0b8d0a6989044c4fcab1bd845d9e|SHA1=ce31292b05c0ae1dc639a6ee95bb3bc7350f2aaf|SHA1=1a53902327bac3ab323ee63ed215234b735c64da|SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123|SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13|SHA1=f052dc35b74a1a6246842fbb35eb481577537826|SHA1=ba3faca988ff56f4850dede2587d5a3eff7c6677|SHA1=8f266edf9f536c7fc5bb3797a1cf9039fde8e97c|SHA1=d57c732050d7160161e096a8b238cb05d89d1bb2|SHA1=7480c7f7346ce1f86a7429d9728235f03a11f227|SHA1=40abf7edb4c76fb3f22418f03198151c5363f1cb|SHA1=43b61039f415d14189d578012b6cb1bd2303d304|SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27|SHA1=a809831166a70700b59076e0dbc8975f57b14398|SHA1=22c9cd0f5986e91b733fbd5eda377720fd76c86d|SHA1=d7b20ac695002334f804ffc67705ce6ac5732f91|SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0|SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c|SHA1=72a5ac213ec1681d173bee4f1807c70a77b41bf6|SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1|SHA1=891c8d482e23222498022845a6b349fe1a186bcc|SHA1=6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72|SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f|SHA1=e40ea8d498328b90c4afbb0bb0e8b91b826f688e|SHA1=356172a2e12fd3d54e758aaa4ff0759074259144|SHA1=7115929de6fc6b9f09142a878d1a1bf358af5f24|SHA1=1b84abffd814b9f4595296b3e5ede0c44e630967|SHA1=40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b|SHA1=1c3f2579310ddd7ae09ce9ca1cc537a771b83c9f|SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4|SHA1=879fcc6795cebe67718388228e715c470de87dca|SHA1=b33b99ae2653b4e675beb7d9eb2c925a1f105bd4|SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7|SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa|SHA1=c31049605f028a56ce939cd2f97c2e56c12d99f8|SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962|SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07|SHA1=3048f3422b2b31b74eace0dab3f5c4440bdc7bb2|SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2|SHA1=0ff2ad8941fbb80cbccb6db7db1990c01c2869b1|SHA1=6d3c760251d6e6ea7ff4f4fcac14876fac829cf9|SHA1=20cf02c95e329cf2fd4563cddcbd434aad81ccb4|SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c|SHA1=e835776e0dc68c994dd18e8628454520156c93e3|SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8|SHA1=97bc298a1d12a493bf14e6523e4ff48d64832954|SHA1=fb349c3cde212ef33a11a9d58a622dc58dff3f74|SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c|SHA1=b0a684474eb746876faa617a28824bee93ba24f0|SHA1=a01c42a5be7950adbc7228a9612255ac3a06b904|SHA1=a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec|SHA1=f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6|SHA1=441f87633ee6fbea5dee1268d1b9b936a596464d|SHA1=da9cea92f996f938f699902482ac5313d5e8b28e|SHA1=32f27451c377c8b5ea66be5475c2f2733cffe306|SHA1=58ebfb7de214ee09f6bf71c8cc9c139dd4c8b016|SHA1=f5293ac70d75cdfe580ff6a9edcc83236012eaf1|SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7|SHA1=0b63e76fad88ac48dbfc7cf227890332fcd994a5|SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f|SHA1=160a237295a9e5cbb64ca686a84e47553a14f71d|SHA1=f5d58452620b55c2931cba75eb701f4cde90a9e4|SHA1=a24840e32071e0f64e1dff8ca540604896811587|SHA1=fad8e308f6d2e6a9cfaf9e6189335126a3c69acb|SHA1=6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77|SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e|SHA1=f049e68720a5f377a5c529ca82d1147fe21b4c33|SHA1=c4454a3a4a95e6772acb8a3d998b78a329259566|SHA1=5291b17205accf847433388fe17553e96ad434ec|SHA1=8b037d7a7cb612eabd8e20a9ce93afd92a6db2c2|SHA1=0cca79962d9af574169f5dec12b1f4ca8e5e1868|SHA1=87d47340d1940eaeb788523606804855818569e3|SHA1=272ffcda920a8e2440eb0d31dcd05485e0d597ad|SHA1=e28b754d4d332ea57349110c019d841cf4d27356|SHA1=d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6|SHA1=c201d5d0ab945095c3b1a356b3b228af1aa652fc|SHA1=39e57a0bb3b349c70ad5f11592f9282860bbcc0a|SHA1=5622caf22032e5cbef52f48077cfbcbbbe85e961|SHA1=d8498707f295082f6a95fd9d32c9782951f5a082|SHA1=da03799bb0025a476e3e15cc5f426e5412aeef02|SHA1=b5dfa3396136236cc9a5c91f06514fa717508ef5|SHA1=ba63502aaf8c5a7c2464e83295948447e938a844|SHA1=21ce232de0f306a162d6407fe1826aff435b2a04|SHA1=36a6f75f05ac348af357fdecbabe1a184fe8d315|SHA1=03257294ee74f69881002c4bf764b9cb83b759d6|SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1|SHA1=1045c63eccb54c8aee9fd83ffe48306dc7fe272c|SHA1=8f4b79b8026da7f966d38a8ba494c113c5e3894b|SHA1=f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8|SHA1=d612165251d5f1dcfb1f1a762c88d956f49ce344|SHA1=fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b|SHA1=86b1186a4e282341daf2088204ab9ff2d0402d28|SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0|SHA1=0cac0dbaa7adb7bba6e92c7cd2d514be7e86a914|SHA1=1b25fbab2dbee5504dc94fbcc298cd8669c097a8|SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a|SHA1=8d6d6745a2adc9e5aa025c38875554ae6440d1ad|SHA1=f42aa04b69a2e2241958b972ef24b65f91c3af12|SHA1=44a3a00394a6d233a27189482852babf070ffebe|SHA1=3e406325a717d7163ca31e81beae822d03cbe3d8|SHA1=fc154983af4a5be15ae1e4b54e2050530b8bc057|SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0|SHA1=f9c916d163b85057414300ca214ebdf751172ecf|SHA1=195b91a1a43de8bfb52a4869fbf53d7a226a6559|SHA1=d62fa51e520022483bdc5847141658de689c0c29|SHA1=9329a0ce2749a3a6bea2028ce7562d74c417db64|SHA1=cfdb2085eaf729c7967f5d4efe16da3d50d07a23|SHA1=184729ec2ffd0928a408255a23b3f532ffb3db3d|SHA1=45a9f95a7a018925148152b888d09d478d56bbf5|SHA1=a5f9aef55c64722ff2db96039af3b9c7dd8163e3|SHA1=483e58ed495e4067a7c42ca48e8a5f600b14e018|SHA1=b9b72a5be3871ddc0446bae35548ea176c4ea613|SHA1=18f09ec53f0b7d2b1ab64949157e0e84628d0f0a|SHA1=de2b56ef7a30a4697e9c4cdcae0fc215d45d061d|SHA1=e2e7a2b2550b889235aafd9ffd1966ccd20badfe|SHA1=016aa643fbd8e10484741436bcacc0d9eee483c8|SHA1=5c88d9fcc491c7f1078c224e1d6c9f5bda8f3d8a|SHA1=86e893e59352fcb220768fb758fcc5bbd91dd39e|SHA1=1568117f691b41f989f10562f354ee574a6abc2d|SHA1=5c2262f9e160047b9f4dee53bbfd958ec27ec22e|SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1|SHA1=8db4376a86bd2164513c178a578a0bf8d90e7292|SHA1=4a04596acf79115f15add3921ce30a96f594d7ce|SHA1=16a091bfd1fd616d4607cac367782b1d2ab07491|SHA1=cf664e30f8bd548444458eef6d56d5c2e2713e2a|SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3|SHA1=f544f25104fe997ec873f5cec64c7aa722263fb4|SHA1=be797c91768ac854bd3b82a093e55db83da0cb11|SHA1=cea540a2864ece0a868d841ab27680ff841fcbe6|SHA1=b4f1877156bf3157bff1170ba878848b2f22d2d5|SHA1=55cffb0ef56e52686b0c407b94bbea3701d6eccd|SHA1=b6543d006cb2579fb768205c479524e432c04204|SHA1=879b32fcf78044cbc74b57717ab3ae18e77bc2fb|SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4|SHA1=4a7324ca485973d514fd087699f6d759ff32743b|SHA1=e41808b022656befb7dc42bbeceaf867e2fec6b2|SHA1=1e09f3dd6ba9386fa9126f0116e49c2371401e01|SHA1=5bdd44eb321557c5d3ab056959397f0048ac90e6|SHA1=42bb38b0b93d83b62fe2604b154ada9314c98df7|SHA1=c47b890dda9882f9f37eccc27d58d6a774a2901f|SHA1=2cc70b772b42e0208f345c7c70d78f7536812f99|SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd|SHA1=b7a2f2760f9819cb242b2e4f5b7bab0a65944c81|SHA1=7a1689cde189378e7db84456212b0e438f9bf90a|SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95|SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0|SHA1=0a6e0f9f3d7179a99345d40e409895c12919195b|SHA1=2dd916cb8a9973b5890829361c1f9c0d532ba5d6|SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe|SHA1=dcfeca5e883a084e89ecd734c4528b922a1099b9|SHA1=f56fec3f2012cd7fc4528626debc590909ed74b6|SHA1=d126c6974a21e9c5fdd7ff1ca60bcc37c9353b47|SHA1=a6aa7926aa46beaf9882a93053536b75ef2c7536|SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6|SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be|SHA1=7ba4607763c6fef1b2562b72044a20ca2a0303e2|SHA1=bec66e0a4842048c25732f7ea2bbe989ea400abf|SHA1=fd87b70f94674b02d62bb01ae6e62d75c618f5c8|SHA1=d17656f11b899d58dca7b6c3dd6eef3d65ae88e2|SHA1=c1c869deee6293eee3d0d84b6706d90fab8f8558|SHA1=f56186b6a7aa3dd7832c9d821f9d2d93bc2a9360|SHA1=e9d7d7d42fd534abf52da23c0d6ec238cefde071|SHA1=8d0ae69fbe0c6575b6f8caf3983dd3ddc65aadb5|SHA1=b67945815e40b1cd90708c57c57dab12ed29da83|SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471|SHA1=a4e2e227f984f344d48f4bf088ca9d020c63db4e|SHA1=a34adabde63514e1916713a588905c4019f83efb|SHA1=3270720a066492b046d7180ca6e60602c764cac7|SHA1=2bcb81f1b643071180e8ed8f7e42f49606669976|SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a|SHA1=bb1f9cc94e83c59c90b055fe13bb4604b2c624df|SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d|SHA1=d702d88b12233be9413446c445f22fda4a92a1d9|SHA1=6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9|SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b|SHA1=c520a368c472869c3dc356a7bcfa88046352e4d9|SHA1=254dce914e13b90003b0ae72d8705d92fe7c8dd0|SHA1=e9f576137181c261dc3b23871d1d822731d54a12|SHA1=ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6|SHA1=1c537fd17836283364349475c6138e6667cf1164|SHA1=cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed|SHA1=252157ab2e33eed7aa112d1c93c720cadcee31ae|SHA1=97f668aa01ebbbf2f5f93419d146e6608d203efd|SHA1=9feacc95d30107ce3e1e9a491e2c12d73eef2979|SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab|SHA1=0f78974194b604122b1cd4e82768155f946f6d24|SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c|SHA1=d363011d6991219d7f152609164aba63c266b740|SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1|SHA1=db3538f324f9e52defaba7be1ab991008e43d012|SHA1=008a292f71f49be1fb538f876de6556ce7b5603a|SHA1=e35969966769e7760094cbcffb294d0d04a09db6|SHA1=5236728c7562b047a9371403137a6e169e2026a6|SHA1=862387e84baaf506c10080620cc46df2bda03eea|SHA1=c0100f8a8697a240604b3ea88848dd94947c7fd3|SHA1=ad05bff5fe45df9e08252717fc2bc2af57bf026f|SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de|SHA1=637d0de7fa2a06e462dad40a575cb0fa4a38d377|SHA1=0904b8fa4654197eefd6380c81bbb2149ffe0634|SHA1=928b9b180ff5deb9f9dd3a38c4758bcf09298c47|SHA1=432fa24e0ce4b3673113c90b34d6e52dc7bac471|SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825|SHA1=444f96d8943aec21d26f665203f3fb80b9a2a260|SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467|SHA1=eba5483bb47ec6ff51d91a9bdf1eee3b6344493d|SHA1=e3048cd05573dc1d30b1088859bc728ef67aaad0|SHA1=537923c633d8fc94d9ae45ad9d89e5346f581f17|SHA1=022f7aa4d0f04d594588ae9fa65c90bcc4bda833|SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2|SHA1=7a107291a9fad0d298a606eb34798d423c4a5683|SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a|SHA1=0fd700fee341148661616ecd8af8eca5e9fa60e3|SHA1=3aba6dd15260875eb290e9d67992066141aa0bb0|SHA1=a5596d4d329add26b9ca9fa7005302148dfacfd8|SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0|SHA1=22fc833e07dd163315095d32ebcd3b3e377c33a4|SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1|SHA1=c9522cf7f6d6637aaff096b4b16b0d81f6ee1c37|SHA1=d11659145d6627f3d93975528d92fb6814171f91|SHA1=d3d2fe8080f0b18465520785f3a955e1a24ae462|SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387|SHA1=ea37a4241fa4d92c168d052c4e095ccd22a83080|SHA1=72966ca845759d239d09da0de7eebe3abe86fee3|SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9|SHA1=dc69a6cdf048e2c4a370d4b5cafd717d236374ea|SHA1=24daa825adedcbbb1d098cbe9d68c40389901b64|SHA1=2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1|SHA1=dc55217b6043d819eadebd423ff07704ee103231|SHA1=2ba0db7465cf4ffb272f803a9d77292b79c1e6df|SHA1=52ea274e399df8706067fdc5ac52af0480461887|SHA1=d8adf4f02513367c2b273abb0bc02f7eb3a5ef19|SHA1=6887668eb41637bbbab285d41a36093c6b17a8fa|SHA1=d6b1b3311263bfb170f2091d22f373c2215051b7|SHA1=fad014ec98529644b5db5388d96bc4f9b77dcdc3|SHA1=a714a2a045fa8f46d0165b78fe3eecf129c1de3a|SHA1=a09334489fb18443c8793cb0395860518193cc3c|SHA1=49d58f7565bacf10539bc63f1d2fe342b3c3d85a|SHA1=e4fcb363cfe9de0e32096fa5be94a41577a89bb0|SHA1=6a60f5fa0dfc6c1fa55b24a29df7464ee01a9717|SHA1=8b86c99328e4eb542663164685c6926e7e54ac20|SHA1=431550db5c160b56e801f220ceeb515dc16e68d2|SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586|SHA1=dd893cd3520b2015790f7f48023d833f8fe81374|SHA1=7626036baf98ddcb492a8ec34e58c022ebd70a80|SHA1=0b8b83f245d94107cb802a285e6529161d9a834d|SHA1=c01caaa74439af49ca81cb5b200a167e7d32343c|SHA1=26a8ab6ea80ab64d5736b9b72a39d90121156e76|SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f|SHA1=f6f7b5776001149496092a95fb10218dea5d6a6b|SHA1=166759fd511613414d3213942fe2575b926a6226|SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e|SHA1=0a89a6f6f40213356487bfcfb0b129e4f6375180|SHA1=f640c94e71921479cc48d06b59aba41ffa50a769|SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7|SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754|SHA1=3ca51b23f8562485820883e894b448413891183a|SHA1=8275977e4b586e485e9025222d0a582fcb9e1e8f|SHA1=30846313e3387298f1f81c694102133568d6d48d|SHA1=b52886433e608926a0b6e623217009e4071b107e|SHA1=d19d1d3aa30391922989f4c6e3f7dc4937dcefbf|SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c|SHA1=091a039f5f2ae1bb0fa0f83660f4c178fd3a5a10|SHA1=6293ff11805cd33bccbcca9f0132bff3ae2e2534|SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc|SHA1=7667b72471689151e176baeba4e1cd9cd006a09a|SHA1=1479717fab67d98bbc3665f6b12adddfca74e0ef|SHA1=fc8fbd92f6e64682360885c188d1bdfbc14ca579|SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643|SHA1=6df42ea7c0e6ee02062bf9ca2aa4aa5cd3775274|SHA1=c40ff3ebf6b5579108165be63250634823db32ec|SHA1=cef5a329f7a36c76a546d9528e57245127f37246|SHA1=7c46ecc5ce8e5f6e236a3b169fb46bb357ac3546|SHA1=a32232a426c552667f710d2dcbd2fb9f9c50331d|SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327|SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab|SHA1=d496a8d3e71eaacd873ccef1d1f6801e54959713|SHA1=437b56dc106d2e649d2c243c86729b6e6461d535|SHA1=f10ec1b88c3a383c2a0c03362d31960836e3fb5f|SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6|SHA1=7503a1ed7f6fbd068f8c900dd5ddb291417e3464|SHA1=24aafe3c727c6a3bd1942db78327ada8fcb8c084|SHA1=8453fc3198349cf0561c87efc329c81e7240c3da|SHA1=51b9867c391be3ce56ba7e1c3cba8c76777245b2|SHA1=a7bd05de737f8ea57857f1e0845a25677df01872|SHA1=eb2496304073727564b513efd6387a77ce395443|SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e|SHA1=736531c76b8d9c56e26561bf430e10ecabff0186|SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02|SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca|SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57|SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346|SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3|SHA1=c948ae14761095e4d76b55d9de86412258be7afd|SHA1=80ea425e193bd0e05161e8e1dc34fb0eae5f9017|SHA1=2e546d86d3b1e4eaa92b6ec4768de79f70eb922f|SHA1=b91c34bb846fd5b2f13f627b7da16c78e3ee7b0f|SHA1=a6816949cd469b6e5c35858d19273936fab1bef6|SHA1=c02cb8256dfb37f690f2698473fe5428d17bc178|SHA1=c2d18ce26ce2435845f534146d7f353b662ad2b9|SHA1=05eff2001f595f9e2894c6b5eee756ae72379a6d|SHA1=0a19a9c4c9185b80188da529ec9c9f45cbe73186|SHA1=e7d8fc86b90f75864b7e2415235e17df4d85ee31|SHA1=8e64c32bcfd70361956674f45964a8b0c8aa6388|SHA1=97941faf575e43e59fe8ee167de457c2cf75c9eb|SHA1=7e8efd93a1dad02385ec56c8f3b1cfd23aa47977|SHA1=850d7df29256b4f537eddafe95cfea59fb118fe2|SHA1=e2f40590b404a24e775f781525d8ed01f1b1156d|SHA1=ff9048c451644c9c5ff2ba1408b194a0970b49e6|SHA1=53f7fc4feb66af748f2ab295394bf4de62ae9fcc|SHA1=3def50587309440e3b9e595bdbe4dde8d69a64e7|SHA1=c6d349823bbb1f5b44bae91357895dba653c5861|SHA1=f3029dba668285aac04117273599ac12a94a3564|SHA1=adab368ed3c17b8f2dc0b2173076668b6153e03a|SHA1=c45d03076fa6e66c1b8b74b020ad84712755e3df|SHA1=0d27a3166575ec5983ec58de2591552cfa90ef92|SHA1=d28b604b9bb608979cc0eab1e9e93e11c721aa3d|SHA1=70bb3b831880e058524735b14f2a0f1a72916a4c|SHA1=5a55c227ca13e9373b87f1ef6534533c7ce1f4fb|SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba|SHA1=4075de7d7d2169d650c5ccede8251463913511e6|SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7|SHA1=619413b5a6d6aeb4d58c409d54fe4a981dd7e4d9|SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de|SHA1=d9c1913a6c76b883568910094dfa1d67aad80c84|SHA1=49174d56cce618c77ae4013fe28861c80bf5ba97|SHA1=e11f48631c6e0277e21a8bdf9be513651305f0d5|SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775|SHA1=d5326fea00bcde2ef7155acf3285c245c9fb4ece|SHA1=e8234c44f3b7e4c510ef868e8c080e00e2832b07|SHA1=9449f211c3c47821b638513d239e5f2c778dc523|SHA1=456a1acacaa02664517c2f2fb854216e8e967f9d|SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8|SHA1=b314742af197a786218c6dd704b438469445eefa|SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371|SHA1=fbfabf309680fbf7c0f6f14c5a0e4840c894e393|SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef|SHA1=6ed5c2313eecd97b78aa5dcdb442dd47345c9e43|SHA1=1f26424eaf046dbf800ae2ac52d9bb38494d061a|SHA1=b7fa8278ab7bc485727d075e761a72042c4595f7|SHA1=10b9ae9286837b3bf6a00771c7e81adbdea3cbfe|SHA1=850f15fd67d9177a50f3efef07a805b9613f50d6|SHA1=696d68bdbe1d684029aaad2861c49af56694473a|SHA1=164c899638bc83099c0379ea76485194564c956c|SHA1=15f16fe63105b8f9cc0ef2bc8f97cfa5deb40662|SHA1=b304cb10c88ddd8461bad429ebfd2fd1b809ac2b|SHA1=a95a126b539989e29e68969bfab16df291e7fa8a|SHA1=4f02fb7387ca0bc598c3bcb66c5065d08dbb3f73|SHA1=1e8bccbd74f194db6411011017716c8c6b730d03|SHA1=0cc60a56e245e70f664906b7b67dfe1b4a08a5b7|SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a|SHA1=19bd488fe54b011f387e8c5d202a70019a204adf|SHA1=879e327292616c56bd4aafc279fbda6cc393b74d|SHA1=45e8f87afa41143e0c5850f9e054d18ec9c8a6c0|SHA1=b53c360b35174bd89f97f681bf7c17f40e519eb6|SHA1=c3be2bbd9b3f696bc9d51d5973cc00ca059fb172|SHA1=5bb2d46ba666c03c56c326f0bbc85cc48a87dfa3|SHA1=9b8c7eda28bfad07ffe5f84a892299bc7e118442|SHA1=762a5b4c7beb2af675617dca6dcd6afd36ce0afd|SHA1=6d9e22a275a5477ea446e6c56ee45671fbcbb5f6|SHA1=1292c7dd60214d96a71e7705e519006b9de7968f|SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13|SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646|SHA1=f61e56359c663a769073782a0a3ffd3679c2694a|SHA1=dd2b90c9796237036ac7136a172d96274dea14c8|SHA1=af5b7556706e09ee9e74ee2e87eab5c0a49d2d35|SHA1=57cc324326ab6c4239f8c10d2d1ce8862b2ce4d5|SHA1=bed5bad7f405aa828a146c7f71d09c31d0c32051|SHA1=34a07ae39b232cc3dbbe657b34660e692ff2043a|SHA1=3f67a43ae174a715795e49f72bc350302de83323|SHA1=a3d612a5ea3439ba72157bd96e390070bdddbbf3|SHA1=655a9487d7a935322e19bb92d2465849055d029d|SHA1=f70989f8b17971f13d45ee537e4ce98e93acbbaf|SHA1=4044e5da1f16441fe7eb27cff7a76887a1aa7fec|SHA1=7b4c922415e13deaf54bb2771f2ae30814ee1d14|SHA1=8c11430372889bae1f91e8d068e2b2ad56dfc6bf|SHA1=4f376b1d1439477a426ef3c52e8c1c69c2cb5305|SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f|SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403|SHA1=7fb52290883a6b69a96d480f2867643396727e83|SHA1=82dbac75b73ff4b92bdcbf6977a6683e1dcfe995|SHA1=5b83c61178afb87ef7d58fd786808effcaaae861|SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed|SHA1=ebafebe5e94fdf12bd2159ed66d73268576bc7d9|SHA1=5e4b93591f905854fb870011464291c3508aff44|SHA1=a38aac44ee232fb50a6abf145e8dd921ca3e7d78|SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b|SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22|SHA256=66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796|SHA256=e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994|SHA256=5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea|SHA256=b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a|SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4|SHA256=c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547|SHA256=506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1|SHA256=4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61|SHA256=9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504|SHA256=5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa|SHA256=a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f|SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675|SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf|SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb|SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c|SHA256=247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f|SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8|SHA256=dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc|SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc|SHA256=46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474|SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a|SHA256=4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba|SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395|SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2|SHA256=a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00|SHA256=e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16|SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712|SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f|SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50|SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763|SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26|SHA256=5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879|SHA256=68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248|SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75|SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d|SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d|SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812|SHA256=b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e|SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1|SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439|SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de|SHA256=d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee|SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a|SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339|SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46|SHA256=a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526|SHA256=0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250|SHA256=223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1|SHA256=18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a|SHA256=442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243|SHA256=7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8|SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47|SHA256=0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2|SHA256=9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c|SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3|SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6|SHA256=a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce|SHA256=d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d|SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59|SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1|SHA256=16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c|SHA256=0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d|SHA256=c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29|SHA256=4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b|SHA256=fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70|SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8|SHA256=7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26|SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f|SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa|SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed|SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492|SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36|SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293|SHA256=cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c|SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566|SHA256=b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1|SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be|SHA256=a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e|SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889|SHA256=4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158|SHA256=d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8|SHA256=f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672|SHA256=f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2|SHA256=3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284|SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0|SHA256=1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd|SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b|SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0|SHA256=bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65|SHA256=8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750|SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162|SHA256=03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d|SHA256=af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1|SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173|SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5|SHA256=38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8|SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a|SHA256=ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156|SHA256=a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f|SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6|SHA256=d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6|SHA256=f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e|SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677|SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3|SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4|SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea|SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3|SHA256=45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271|SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91|SHA256=ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498|SHA256=3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486|SHA256=e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f|SHA256=f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229|SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8|SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469|SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf|SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190|SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb|SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135|SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d|SHA256=ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9|SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f|SHA256=eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd|SHA256=a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1|SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e|SHA256=9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340|SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775|SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba|SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf|SHA256=7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667|SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb|SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184|SHA256=c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de|SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a|SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25|SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa|SHA256=c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad|SHA256=e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e|SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef|SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980|SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748|SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8|SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3|SHA256=42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180|SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c|SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52|SHA256=67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78|SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb|SHA256=0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda|SHA256=49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd|SHA256=0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c|SHA256=e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21|SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd|SHA256=41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f|SHA256=d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c|SHA256=b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61|SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f|SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb|SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d|SHA256=c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e|SHA256=7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5|SHA256=680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6|SHA256=1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17|SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad|SHA256=4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb|SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433|SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970|SHA256=0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec|SHA256=5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00|SHA256=3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928|SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f|SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833|SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c|SHA256=38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9|SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0|SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa|SHA256=0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c|SHA256=8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506|SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293|SHA256=e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce|SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219|SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039|SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683|SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418|SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5|SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b|SHA256=33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef|SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f|SHA256=53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf|SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670|SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e|SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe|SHA256=76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6|SHA256=eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed|SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf|SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2|SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af|SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004|SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9|SHA256=67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79|SHA256=71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713|SHA256=8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222|SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7|SHA256=a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641|SHA256=29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36|SHA256=7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3|SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7|SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b|SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838|SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456|SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8|SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1|SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10|SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60|SHA256=4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b|SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c|SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c|SHA256=3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14|SHA256=edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5|SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b|SHA256=39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d|SHA256=0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502|SHA256=5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff|SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9|SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1|SHA256=bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca|SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b|SHA256=db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7|SHA256=32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e|SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c|SHA256=bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042|SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653|SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145|SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478|SHA256=b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5|SHA256=edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c|SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48|SHA256=0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7|SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f|SHA256=b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69|SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53|SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4|SHA256=c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778|SHA256=0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75|SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c|SHA256=bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c|SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57|SHA256=00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c|SHA256=7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca|SHA256=3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c|SHA256=fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5|SHA256=7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e|SHA256=0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901|SHA256=e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc|SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c|SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1|SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88|SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b|SHA256=65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d|SHA256=0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168|SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508|SHA256=060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f|SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a|SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486|SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a|SHA256=642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54|SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9|SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c|SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac|SHA256=6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d|SHA256=1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc|SHA256=33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57|SHA256=653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d|SHA256=20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece|SHA256=3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2|SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd|SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512|SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743|SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57|SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92|SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5|SHA256=613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55|SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298|SHA256=b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c|SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab|SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd|SHA256=854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9|SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc|SHA256=aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a|SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade|SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009|SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d|SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9|SHA256=69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce|SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761|SHA256=16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23|SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0|SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c|SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2|SHA256=f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967|SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1|SHA256=c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a|SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48|SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8|SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f|SHA256=d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd|SHA256=636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220|SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22|SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f|SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e|SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408|SHA256=4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f|SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2|SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a|SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5|SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a|SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6|SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a|SHA256=9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01|SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258|SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558|SHA256=d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b|SHA256=c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65|SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3|SHA256=f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44|SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2|SHA256=bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba|SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482|SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc|SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165|SHA256=73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061|SHA256=ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1|SHA256=c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b|SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02|SHA256=51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb|SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6|SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a|SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b|SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0|SHA256=83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc|SHA256=8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250|SHA256=61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874|SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129|SHA256=a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af|SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff|SHA256=6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80|SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184|SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af|SHA256=3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1|SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e|SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587|SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8|SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89|SHA256=72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35|SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b|SHA256=b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027|SHA256=0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d|SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924|SHA256=5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c|SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1|SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4|SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e|SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131|SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f|SHA256=8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881|SHA256=9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3|SHA256=dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9|SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24|SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7|SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2|SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960|SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357|SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0|SHA256=1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3|SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0|SHA256=87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b|SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92|SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc|SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6|SHA256=837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2|SHA256=db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33|SHA256=773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc|SHA256=f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b|SHA256=733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e|SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21|SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194|SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48|SHA256=747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465|SHA256=903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b|SHA256=6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259|SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0|SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5|SHA256=55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03|SHA256=f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686|SHA256=4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7|SHA256=40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554|SHA256=1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b|SHA256=53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b|SHA256=7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6|SHA256=6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7|SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004|SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89|SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b|SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20|SHA256=00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03|SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4|SHA256=d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c|SHA256=6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72|SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98|SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa|SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d|SHA256=3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb|SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f|SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e|SHA256=760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510|SHA256=b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5|SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94|SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf|SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9|SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa|SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248|SHA256=ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d|SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0|SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa|SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b|SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c|SHA256=0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8|SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3|SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e|SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5|SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a|SHA256=2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f|SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1|SHA256=8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c|SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8|SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3|SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1|SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1|SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775|SHA256=ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686|SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0|SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa|SHA256=3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9|SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073|SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c|SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219|SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4|SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2|SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9|SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5|SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c|SHA256=c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa|SHA256=11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2|SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504|SHA256=d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b|SHA256=c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b|SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126|SHA256=81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05|SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9|SHA256=828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2|SHA256=182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714|SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57|SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d|SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185|SHA256=f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e|SHA256=9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207|SHA256=c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1|SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1|SHA256=ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5|SHA256=e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa|SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d|SHA256=dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb|SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb|SHA256=e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5|SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685|SHA256=70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7|SHA256=909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77|SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918|SHA256=90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a|SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba|SHA256=5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8|SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406|SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4|SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63|SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25|SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501|SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c|SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f|SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b|SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26|SHA256=b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c|SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe|SHA256=f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2|SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e|SHA256=4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2|SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b|SHA256=700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24|SHA256=d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e|SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80|SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74|SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d|SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85|SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512|SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df|SHA256=ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8|SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc|SHA256=5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c|SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062|SHA256=4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0|SHA256=7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7|SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0|SHA256=4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4|SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f|SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d|SHA256=da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb|SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90|SHA256=cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496|SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463|SHA256=1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d|SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467|SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca|SHA256=b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee|SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5|SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd|SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8|SHA256=5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09|SHA256=274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab|SHA256=89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7|SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd|SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d|SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3|SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5|SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb|SHA256=afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3|SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2|SHA256=9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91|SHA256=97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c|SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850|SHA256=065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc|SHA256=3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d|SHA256=c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad|SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c|SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c|SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88|SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8|SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c|SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6|SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526|SHA256=a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e|SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b|SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882|SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae|SHA256=5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee|SHA256=b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684|SHA256=dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d|SHA256=3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb|SHA256=f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1|SHA256=8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6|SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3|SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8|SHA256=1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43|SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad|SHA256=a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c|SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed|SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b|SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a|SHA256=70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505|SHA256=76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb|SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c|SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee|SHA256=1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a|SHA256=ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517|SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05|SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee|SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5|SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b|SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285|SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb|SHA256=d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e|SHA256=b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d|SHA256=fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a|SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc|SHA256=5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3|SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a|SHA256=b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f|SHA256=786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc|SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca|SHA256=212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a|SHA256=5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab|SHA256=79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd|SHA256=9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95|SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada|SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26|SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036|SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7|SHA256=ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc|SHA256=b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6|SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965|SHA256=eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90|SHA256=582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a|SHA256=326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9|SHA256=9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36|SHA256=655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723|SHA256=8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f|SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6|SHA256=f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257|SHA256=e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534|SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f|SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572|SHA256=81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d|SHA256=2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9|SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7|SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a|SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289|SHA256=71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5|SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8|SHA256=848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891|SHA256=14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c|SHA256=49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94|SHA256=a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53|SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200|SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf|SHA256=c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42|SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917|SHA256=348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1|SHA256=f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad|SHA256=5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77|SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c|SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa|SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a|SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d|SHA256=7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc|SHA256=7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f|SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e|SHA256=39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa|SHA256=0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182|SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b|SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c|SHA256=a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b|SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5|SHA256=e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1|SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5|SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f|SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28|SHA256=b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801|SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c|SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148|SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6|SHA256=5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4|SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612|SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e|SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d|SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9|SHA256=648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f|SHA256=6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440|SHA256=b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25|SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b|SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6|SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6|SHA256=22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5|SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289|SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f|SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8|SHA256=b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b|SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399|SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085|SHA256=f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585|SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135|SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396|SHA256=d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257|SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354|SHA256=2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266|SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82|SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100|SHA256=0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57|SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae|SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c|SHA256=cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5|SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8|SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0|SHA256=51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292|SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30|SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4|SHA256=83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c|SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449|SHA256=51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11|SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd|SHA256=e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717|SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a|SHA256=b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890|SHA256=bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091|SHA256=6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893|SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8|SHA256=63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e|SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2|SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d|SHA256=26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288|SHA256=b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71|SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305|SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4|SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69|SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1|SHA256=d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e|SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4|SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4|SHA256=478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70|SHA256=1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7|SHA256=e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21|SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f|SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e|SHA256=4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112|SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a|SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f|SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7|SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524|SHA256=202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213|SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005|SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd|SHA256=00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922|SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102|SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5|SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8|SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867|SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca|SHA256=c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b|SHA256=c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038|SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21|SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3|SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3|SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14|SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793|SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79|SHA256=405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1|SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229|SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1|SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659|SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687|SHA256=ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d|SHA256=b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c|SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533|SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9|SHA256=11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f|SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c|SHA256=2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb|SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f|SHA256=37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20|SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b|SHA256=c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0|SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc|SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2|SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb|SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba|SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e|SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de|SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b|SHA256=ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7|SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646|SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7|SHA256=c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4|SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc|SHA256=16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1|SHA256=24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9|SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a|SHA256=8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c|SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4|SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03|SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64|SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf|SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530|SHA256=d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c|SHA256=0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180|SHA256=b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763|SHA256=bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f|SHA256=b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b|SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2|SHA256=5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a|SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b|SHA256=66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e|SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba|SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961|SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a|SHA256=9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be|SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29|SHA256=fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584|SHA256=bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc|SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e|SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c|SHA256=4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d|SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879|SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb|SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a|SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347|SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3|SHA256=f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de|SHA256=567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270|SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba|SHA256=b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3|SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9|SHA256=8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409|SHA256=f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d|SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813|SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa|SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa|SHA256=9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d|SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe|SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7|SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2|SHA256=3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236|SHA256=468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5|SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b|SHA256=ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4|SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441|SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989|SHA256=0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7|SHA256=daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5|SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa|SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa|SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608|SHA256=7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0|SHA256=f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6|SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d|SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf|SHA256=0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664|SHA256=dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53|SHA256=f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2|SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7|SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a|SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91|SHA256=3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a|SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd|SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd|SHA256=3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5|SHA256=f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6|SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0|SHA256=898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289|SHA256=834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78|SHA256=d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4|SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c|SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7|SHA256=8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258|SHA256=4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51|SHA256=1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b|SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75|SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9|SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d|SHA256=85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3|SHA256=31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37|SHA256=1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6|SHA256=442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c|SHA256=ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1|SHA256=53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6|SHA256=f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65|SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028|SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65|SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094|SHA256=87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5|SHA256=c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633|SHA256=78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663|SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7|SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc|SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e|SHA256=be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0|SHA256=7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727|SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f|SHA256=20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2|SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a|SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566|SHA256=b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5|SHA256=3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458|SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44|SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351|SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192|SHA256=d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7|SHA256=e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb|SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356|SHA256=d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25|SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058|SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c|SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c|SHA256=5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4|SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6|SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d|SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d|SHA256=af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c|SHA256=6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097|SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01|SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63|SHA256=be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7|SHA256=2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057|SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00|SHA256=64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5|SHA256=7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a|SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2|SHA256=ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9|SHA256=f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114|SHA256=8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047|SHA256=0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a|SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa|SHA256=4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4|SHA256=a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5|SHA256=9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91|SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7|SHA256=d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e|SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a|SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c|SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41|SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0|SHA256=1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a|SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df|SHA256=2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958|SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0|SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc|SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229|SHA256=d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565|SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1|SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad|SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9|SHA256=a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67|SHA256=d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2|SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc|SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c|SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2|SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a|SHA256=d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4|SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a|SHA256=c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0|SHA256=ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3|SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc|SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b|SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853|SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38|SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9|SHA256=3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f|SHA256=7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be|SHA256=6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7|SHA256=18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7|SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1|SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7|SHA256=88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3|SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba|SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961|SHA256=46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28|SHA256=73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a|SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc|SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63|SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d|SHA256=922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832|SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a|SHA256=bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421|SHA256=7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96|SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8|SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810|SHA256=1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718|SHA256=11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768|SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf|SHA256=5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb|SHA256=54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876|SHA256=98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e|SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3|SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960|SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c|SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414|SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7|SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33|SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a|SHA256=1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695|SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece|SHA256=b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f|SHA256=7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25|SHA256=6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0|SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496|SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b|SHA256=0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3|SHA256=ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7|SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6|SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae|SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704|SHA256=63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670|SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8|SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134|SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6|SHA256=e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef|SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9|SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf|SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605|SHA256=ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d|SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22|SHA256=0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02|SHA256=c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda|SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de|SHA256=0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c|SHA256=dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233|SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0|SHA256=423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18|SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13|SHA256=ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7|SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4|SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc|SHA256=a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6|SHA256=d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757|SHA256=11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359|SHA256=1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67|SHA256=2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1|SHA256=ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18|SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22|SHA256=b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb|SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758|SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5|SHA256=a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc|SHA256=442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a|SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495|SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0|SHA256=0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0|SHA256=94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915|SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347|SHA256=47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d|SHA256=a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e|SHA256=c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413|SHA256=082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470|SHA256=84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451|SHA256=64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66|SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3|SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8|SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955|SHA256=9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727|SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d|SHA256=96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452|SHA256=df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d|SHA256=3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50|SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280|SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c|SHA256=0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5|SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986|SHA256=41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6|SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54|SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3|SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233|SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230|SHA256=39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0|SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c|SHA256=6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d|SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be|SHA256=05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686|SHA256=a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a|SHA256=ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96|SHA256=26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd|SHA256=ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613|SHA256=fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17|SHA256=37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60|SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1|SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668|SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4|SHA256=b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de|SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f|SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb|SHA256=50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7|SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c|SHA256=6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943|SHA256=61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629|SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e|SHA256=d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd|SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f|SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d|SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8|SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6|SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06|SHA256=ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91|SHA256=0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0|SHA256=b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe|SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7|SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee|SHA256=48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548|SHA256=87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b|SHA256=54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca|SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc|SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602|SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15|SHA256=fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8|SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef|SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7|SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3|SHA256=8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6|SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15|SHA256=8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7|SHA256=c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746|SHA256=77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f|SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57|SHA256=3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8|SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9|SHA256=5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9|SHA256=c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88|SHA256=bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63|SHA256=38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad|SHA256=65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377|SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35|SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24|SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008|SHA256=bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e|SHA256=df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858|SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8|SHA256=159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241|SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476|SHA256=cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183|SHA256=2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b|SHA256=033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7|SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff|SHA256=1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a|SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d|SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471|SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109|SHA256=368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1|SHA256=070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103|SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10|SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6|SHA256=f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e|SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097|SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457|SHA256=5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8|SHA256=a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804|SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35|SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272|SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39|SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd|SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e|SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94|SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db|SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797|SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71|SHA256=6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402|SHA256=2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e|SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf|SHA256=767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b|SHA256=dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa|SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573|SHA256=797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd|SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52|SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b|SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5|SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00|SHA256=d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1|SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9|SHA256=572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4|SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9|SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a|SHA256=91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4|SHA256=5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444|SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b|SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47|SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303|SHA256=40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59|SHA256=7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed|SHA256=6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388|SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015|SHA256=775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9|SHA256=125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe|SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c|SHA256=08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208|SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0|SHA256=e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc|SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43|SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578|SHA256=1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441|SHA256=dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4|SHA256=17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d|SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099|SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2|SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880|SHA256=db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836|SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282|SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e|SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab|SHA256=7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0|SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec|SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0|SHA256=3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645|SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59|SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf|SHA256=07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88|SHA256=423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5|SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b|SHA256=ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33|SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a|SHA256=270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc|SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab|SHA256=fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879|SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe|SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427|SHA256=7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f|SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9|SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c|SHA256=d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8|SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4|SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3|SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69|SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097|SHA256=4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28|SHA256=1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590|SHA256=defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd|SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b|SHA256=d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb|SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374|SHA256=e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe|SHA256=a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0|SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84|SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd|SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7|SHA256=bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53|SHA256=84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51|SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993|SHA256=e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295|SHA256=d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e|SHA256=0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f|SHA256=0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49|SHA256=13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44|SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8|SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805|SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a|SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c|SHA256=c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73|SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38|SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0|SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506|SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3|SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3|SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921|SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e|SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a|SHA256=e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65|SHA256=8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65|SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9|SHA256=eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f|SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2|SHA256=bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f|SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2|SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499|SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445|SHA256=31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5|SHA256=e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f|SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3|SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8|SHA256=66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea|SHA256=d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a|SHA256=a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec|SHA256=8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040|SHA256=748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d|SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56|SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e|SHA256=1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f|SHA256=d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4|SHA256=019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f|SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782|SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56|SHA256=cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461|SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb|SHA256=07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8|SHA256=43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee|SHA256=dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b|SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280|SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d|SHA256=a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1|SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e|SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461|SHA256=13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9|SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57|SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c|SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5|SHA256=9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a|SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247|SHA256=d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3|SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1|SHA256=1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486|SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4|SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f|SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1|SHA256=386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8|SHA256=163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065|SHA256=e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822|SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06|SHA256=003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4|SHA256=d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568|SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40|SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890|SHA256=d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23|SHA256=3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76|SHA256=e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63|SHA256=00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd|SHA256=707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0|SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4|SHA256=b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44|SHA256=b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d|SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3|SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def|SHA256=793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5|SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250|SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40|SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe|SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b|SHA256=7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a|SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4|SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036|SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5|IMPHASH=88e21ed9e717781eaf87209acbdbb567|IMPHASH=481d7bb63a8e5eaba756137e6ef22e54|IMPHASH=cef6a450f196b28e634aa3c0655d8eda|IMPHASH=0e0722c16a5ded199f64b26fccd2115a|IMPHASH=f0cd7cce1d03cf9df1b8266701f92b46|IMPHASH=cc88330f6dca52a40e258f689d3e2db4|IMPHASH=835e364e2175338d970c2aaee365f3dc|IMPHASH=82e75304c5b7ed87121b8b89c82f2389|IMPHASH=9470f56376e665fb981a35b303436041|IMPHASH=37b1eada43ad08093dfa4de7a411d15f|IMPHASH=a2d936fa82b7340d28a697fb344046d8|IMPHASH=16b23f4c6ea47d01340a2cce4bf613f7|IMPHASH=32b632f6379bfaac9f4f3a030a694f55|IMPHASH=052280a42374b8d779c10cd0d8118691|IMPHASH=540992ba6f31301ba27604515a78ad79|IMPHASH=a5fd3b0143c8db98017ec1b2b2528360|IMPHASH=1e13511288689b63b2e1348bf5eb567b|IMPHASH=dd406d43857d7f5ad1b0aec04fdb7e5f|IMPHASH=cf1a39b9408348cddaa4a2827283534c|IMPHASH=0dcd262801389f839ce909cb173448e2|IMPHASH=9e15ce38f071c916bea830247f1241bb|IMPHASH=5716c52252afe18d09f6c1bc6e5ef3ef|IMPHASH=ecf8495ba751a7e38d6be4c5c80f2bef|IMPHASH=f475387e3959dbea86854d61602db136|IMPHASH=98dc1b41bda471f7eabdce8a5d16c09d|IMPHASH=8b7e7c20da6ca9ac4bdb3927fe2b266a|IMPHASH=14075e605bff546182d682f41afefea2|IMPHASH=b8302791cd2edfe6dd562c4854ea495f|IMPHASH=a1d29a3af6402793ec9d23883512938a|IMPHASH=aa01c534155ce919d797860feb531eae|IMPHASH=ebb99842fa08915eb8b7f67d8dc7a13a|IMPHASH=89f3f52b23bdf03bd2bb7eb3cfab8817|IMPHASH=8605f70bcc472025c2e78082388ed00b|IMPHASH=27365d8741d23e179699f1f11a619c7d|IMPHASH=dc0a0f2d424a59b4d17033f58f01b027|IMPHASH=48e2ef3c2d32ecca62510d90e12b6632|IMPHASH=a793af44219650b4dd07d8a19ede33f1|IMPHASH=5f4063ab963abff76d0d83d239697e36|IMPHASH=7716b766e630388f64de1961719be3d4|IMPHASH=8ed3fbdefcc1982cd7decc40ace9d2e7|IMPHASH=6e796fd10b55f58fd0ec9f122a14e918|IMPHASH=2d7766896629499b1484227afaf43dd7|IMPHASH=0579e15c488a56c544e8fac130d826ba|IMPHASH=e1d88d0526dfa369c3661355dbd8773d|IMPHASH=8ec78cf864273fd81203678b61c41f04|IMPHASH=ff605557fd515d7ab30ff41dbd8bd24a|IMPHASH=234f0978e7f2aa0beb9501ff53d94e5b|IMPHASH=77d6a7153b3015318622b793227fb394|IMPHASH=6c42ea981bc29a7e2ed56d297e0b56dc|IMPHASH=23eb5ffc060c6c52546d38e2b63019bd|IMPHASH=ee9cc2f584c2f06fbff67d484adcf426|IMPHASH=d6dc99d60798b2647006ddba21671160|IMPHASH=1427c5f0f4fb100e26a3911f8209504b|IMPHASH=a095f31019d7a32d0a0507879a1822b1|IMPHASH=b8a35d469bc164d86ac7c64e93b0037b|IMPHASH=0e9dfd08346bbe128159bff440d13389|IMPHASH=bd607d71fdc1444aa96dc431591c5c44|IMPHASH=f4b8d579fbdb32eabd01954394f5bf3a|IMPHASH=edc2197e927392567cf09f7de410b5bb|IMPHASH=7fb9382c0d754d5aac897d7a3e72b10c|IMPHASH=1422b8d354b95d9cd880c8726df45dfc|IMPHASH=0c959096cf4b3180530cc7865ef29157|IMPHASH=aca7bbc6be02770c50b07eb6f94d1d78|IMPHASH=3f4c9025125027e307b7e52dd577303b|IMPHASH=68062e8b9d3c1e6cc62a9cae16a12b81|IMPHASH=228bac53e82887d1ed92f51a667a8231|IMPHASH=8919b7bae28d98c4a9e5967c9c55ce70|IMPHASH=7e798c3abcbd0f1cfa8b2b9688e01936|IMPHASH=8add42784f4693f421d85a2bcbadc620|IMPHASH=fbcdb079e9c13a82f98b79bb6ce86175|IMPHASH=a94892b77a6474429b9f692d9952a9d5|IMPHASH=aa03d5a319bc221875846e19e01276f7|IMPHASH=26150d69f50aa9247c3f3f17521d18a2|IMPHASH=beb40a1e9d5c89308d1c56958ddac27d|IMPHASH=59b3f3fa2775e407721c2491ddb2890b|IMPHASH=c314c92b5c25c6f4323e3efaf8bde47a|IMPHASH=d8752c1d5954bea175ac00df5acebb09|IMPHASH=54e54063abbf1edaa9cf9ed8a18916d6|IMPHASH=4aaef0105216f062a5f3ee071a72770c|IMPHASH=67f975f0734a5b0598223fbe00b3367e|IMPHASH=175c5711f3c49a0d929e9e2314b21c6b|IMPHASH=12befc0a82dcb0585359d335ed47af19|IMPHASH=24b344cd341f8b20003ac85be08df979|IMPHASH=08c7f29f5cb29ba70e49879da2e8ddce|IMPHASH=fc9c0ba924e7f104eda5254aaeacc5e8|IMPHASH=5192bc7311bdeb1f3977bdc0d2e943e4|IMPHASH=7363079b9aae7d58bd33c691a613c83c|IMPHASH=e2c63196ed5368f03dabed73b1ff3409|IMPHASH=8211bd4f00a3d9928a11a6ac3329fc46|IMPHASH=2699b7ae36fcadd71425ebafd231d0d1|IMPHASH=8d2a933d039e8b8134ef41236d5ea843|IMPHASH=cc335217d6f7ab7a53dcfa55cbda5fb0|IMPHASH=f9141c3df8f7ec7b3f2d46265a3b5528|IMPHASH=e0813a780309a0af84b605d95bd194e4|IMPHASH=e5fd4339e7b94543b16624a27ba1c872|IMPHASH=fffbca93e6322995552b841c7d65b033|IMPHASH=105b74485670215ab231a942c9101ccf|IMPHASH=74081c86ad3e9771011f162c107927de|IMPHASH=2df11474daf362b1b2fa3d3a89b6acbe|IMPHASH=22a9d7a42282b48c566b4423363d3a3e|IMPHASH=4fbdc03e4487f98fb59360ea5b3e640d|IMPHASH=b262e8d078ede007ebd0aa71b9152863|IMPHASH=abbab73b191d90dc642cbbc1f31d750d|IMPHASH=a5b3ea8c2012c517c472ad6befd37134|IMPHASH=9d7183c1d8107495354c4fad9dae3452|IMPHASH=7d004bbe0f546a91c93562d324307fa7|IMPHASH=b84820037d6a51ba108e0e81ce01db0b|IMPHASH=68b717fa2ab9431cd176776363359d48|IMPHASH=b0356152212dc6e33752847235064fb0|IMPHASH=baa420e9d4e3baf0d65d4fc2bf497708|IMPHASH=85fd19df117fbc21efbcb1d587063e12|IMPHASH=8122311437457ccae22578e301c6a17d|IMPHASH=f939ef0b7f792672866386600f82aa04|IMPHASH=d7de998e454f947f62d4a6b66490563b|IMPHASH=17a9b50297a2334d8e9dfc3411bbe8ab|IMPHASH=6816dabcee7b7d027bfbb93a16297afa|IMPHASH=6723b1d5bd0f1fc13216cb44541e619e|IMPHASH=71e84092e69114f0792419cb8b2b0fd1|IMPHASH=9c8c681f74950997cd571fd838a847b8|IMPHASH=95fe5e937e5acf9bea948fe0256e46ae|IMPHASH=fc789f89340a45f1ab6c49e61b1f6b40|IMPHASH=b8d0a36d2b14d79dfa08fb2e121f0920|IMPHASH=6ce93eab57a73915ecd5c202a339f6ce|IMPHASH=59b168c8ba0db46cb70d1d5a103e6c41|IMPHASH=3edc60bda68569cac7ad7604728ff40d|IMPHASH=3e8e7e5e779c7064e6bab177167e9e7a|IMPHASH=b05ee5c816a30bc52378c759486af0b9|IMPHASH=f7d07bcaa23837d219dcb64e76290252|IMPHASH=d658b06ec1ce39670b02a2dd83e29d03|IMPHASH=11bfcbdb0787ef461d442f973c392cf6|IMPHASH=f531646e31cc12dfaac5b8352653c384|IMPHASH=9b3ad85a76080f989d24cd89da90175a|IMPHASH=5f6fd4ffba177389f414dd1a6ded24b4|IMPHASH=4b0b017b23567cf8b9e1268957acd032|IMPHASH=b4a71a1265f5f82cf383af17e229acb5|IMPHASH=0ebf1214948a636eba076b14cd8f72d5|IMPHASH=c05e71aad32edcbe71ae0ef1621f8693|IMPHASH=427cd9c70cca88ca1db61a5ddc3b8450|IMPHASH=236bc37dff7a92a4d25d807cf038e674|IMPHASH=e38cca61999fb8a0308c0eb798b07989|IMPHASH=3815f9107b799b863cd905178e6e07d0|IMPHASH=3c91d549b68e320924bcde3856993e87|IMPHASH=bb56f25a810b329868a0ff8e94080bad|IMPHASH=f5030145594c486434040aa2636a5dde|IMPHASH=d8101af81fd826b492ced1994ebd3268|IMPHASH=b5967a61e1a4e1d57b3d8ffefc5721ed|IMPHASH=799c9c020c6fcfd11a4172bc861f74af|IMPHASH=2b9471e7bb8c05dc55d0a2ff0591ea98|IMPHASH=6a47c957830ccce7ef43ed96aacf7c2c|IMPHASH=b1e749ba779687a5127817da3d47af2c|IMPHASH=202a0f2f992ec379e2876776ae9de661|IMPHASH=f5df2479285c7b593b3630b8357032e3|IMPHASH=32204eaf2afa5b348ab17de07362885c|IMPHASH=1de2e6e58f6b19c4ec9ad6ca9fce5c14|IMPHASH=64d934652c680b7759f6e75d05ee3072|IMPHASH=176d8e75a27a45e2c6f5d4cceca4d869|IMPHASH=f0820e8f674e44e5c2a3f899ec561c1d|IMPHASH=f4fa225abfb5a5263241a01a2c3f2b8f|IMPHASH=a18b467c3b43f334ca455c495a3ef70d|IMPHASH=a8633e68c2ad9f3dc83775d8d5b21c5b|IMPHASH=9d5a58052468c8e07ff3d5bd730e5d00|IMPHASH=69260cce3156aa2dc0540fb78f5fe826|IMPHASH=b1336b0cb67918ed39f1f88c354910d0|IMPHASH=f119bff607049d431d0968fbaf6532f3|IMPHASH=c91146dfe120f6e8fbed2150d9e020ca|IMPHASH=1e6875beefe8571686d3e8530f8c4bfb|IMPHASH=acdf419d1d03923be256205b9c33eec8|IMPHASH=756adaea6a3f9f0cdaff73d1a49ca201|IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511|IMPHASH=6e7cd05c0da9f82449a8b3795418ee00|IMPHASH=8c3af6c25ab40c4daefb4f836d12e1c8|IMPHASH=4792bcb395d06f9efb72e8020c4af5e6|IMPHASH=d5bc15465b63888cc8b98ecc63a81517|IMPHASH=7f53340c91c108efedb5b8678c5207b3|IMPHASH=3f4a90b2976641ad2c0164792b24d322|IMPHASH=d221afaadf43ceedb581e665435c56c7|IMPHASH=f212bbc758bb52fc661839b1d194b76e|IMPHASH=e938b727f5a033818337f7ba0584500f|IMPHASH=3ac083b0ee2b752436a8a1532179f032|IMPHASH=2e9ef79ea88178e29516dfa435a58900|IMPHASH=24c3d3be20e794c17844d030be03fd2f|IMPHASH=700a9350ac8b218ab9fc62cf25337ad3|IMPHASH=e586fd1c5af87b43696b9d29b09bf1b1|IMPHASH=2233472cee6457ad207017803048aaff|IMPHASH=f046e37fa7914491dc25a6f7718da341|IMPHASH=683bc425e3d8c21f9473a238a0645a4e|IMPHASH=f08e2ac6ca73cd2a924ed25dc6813638|IMPHASH=e2306e26abfd90a5ce4dad0e266b3905|IMPHASH=10917aa77669c6ae714f074d89be9ab8|IMPHASH=db62897eb9d2098e988f830159c04c82|IMPHASH=51780bba04121d6be13f69de08721445|IMPHASH=29a2e15ac1622a3daf7da5a78f0cef08|IMPHASH=5988ec9f159fefbdf89d893aa634dd92|IMPHASH=05d3de62beab8e88de1dafd3b24a16f6|IMPHASH=88380fdfc880da4da407c38f34fe8a3c|IMPHASH=8a424cd36ae3eab0d11332ce3b982a02|IMPHASH=60a2fba979aaa0d0ccd09c12ca3d9e57|IMPHASH=85f86c7c8ce81a78e84efa545d7edc65|IMPHASH=9523103b30fb194643b97ccc3ab7abb0|IMPHASH=0c2219c9c5eab786fa876f74356eea20|IMPHASH=7abb0911ca4cc4697ee1e9897932d3ac|IMPHASH=c6a0f65ba653ee78255cc9e314abc442|IMPHASH=44e6f2f64092b48f8eb926c36ebd1d56|IMPHASH=13300d56528646611f26704266713952|IMPHASH=095c0cdb9c0421da216371c1f4e8790e|IMPHASH=45f8f347e3fb919f3164a4a3278f1c71|IMPHASH=0e4f5481813eeec4e5dd96e36020135f|IMPHASH=1d05fb30a58133da2e9dbdfcf51b80fd|IMPHASH=2561727ac42d399030b3c46477c428f4|IMPHASH=be69e763a6a858c3e7e1ea6e3af12691|IMPHASH=7fba20994f76fb31b9f5a2b3f0c00055|IMPHASH=1d9cdf46ff335712634c292180c06755|IMPHASH=ad4586d21c9469bf636b5e8660e9d702|IMPHASH=958dd67f866ae27cf716e30a025b266f|IMPHASH=1dd3b83f2b007f862a1d8de4a1d3303f|IMPHASH=b4c562c2c654abd2cc71658646314976|IMPHASH=679eba16ab2d51543b7007708838ef7c|IMPHASH=a1603fe7f02448c6b33687ddb9304c7f|IMPHASH=9e2cf28fe320bbf74972509536569c8e|IMPHASH=f233a65b937c69b447824889fb7425ff|IMPHASH=b3204707f6e489cd5a2484881eaf78ca|IMPHASH=c61a46ffe79d3f7d6307c0d2ae5f391e|IMPHASH=28c5045218461018dbde27212ab0f227|IMPHASH=af34db96db910a3fa7a56f2fac8ed5e1|IMPHASH=e80eeed7225a880bbde0d038a5fe1af4|IMPHASH=62473b41d695f075ad96abc4a408de5b|IMPHASH=56307b5227183c002e4231320a72b961|IMPHASH=dd7c5c0c762169d40ee01280e4ac74fc|IMPHASH=9915439d37f385dbffc72bf835f3ee02|IMPHASH=4199ed50502e00f57d9b66e9305450f5|IMPHASH=71c580daf556775f690f0af3db12506f|IMPHASH=c1ab6741cd29de98a138f2bd639f620a|IMPHASH=32247962aa01af8ad5dca696260a05ab|IMPHASH=1d774a94ad511efe5ebfe70acc6f8c85|IMPHASH=690a0fb27a0c47c785d6bbbfc2e56501|IMPHASH=78727a5fac8bd281903014ee00dcd553|IMPHASH=f5ebade1d3a6d3bde264b0c7f9f639e7|IMPHASH=4343c9c0b78ee21e895f10d929c240d4|IMPHASH=f510a429c6ce5c8d414550518b3823d2|IMPHASH=45acfe4a83f61d872fb904a1f08ef991|IMPHASH=cbf26c6e8cf7e294bda273e7026a2789|IMPHASH=84d83741445d9f5a6717b874fed3d8f3|IMPHASH=0b40636205c64cacfd2e4f407518ad58|IMPHASH=b4627789883457d50964a248104cb4c2|IMPHASH=a7ff164c1ee5113a0a09e66b2cd03544|IMPHASH=a0a13575e37906924a0b79043b4005c6|IMPHASH=955e7b12a8fa06444c68e54026c45de1|IMPHASH=8f52e36711c80bb9d7e30995e0092e83|IMPHASH=05fbe4619edf747787879d9323951439|IMPHASH=865c945f842a3f5f5453fb90d12f6765|IMPHASH=89f925b54b95944513671d79eba5fe07|IMPHASH=f4c5b0399665885a7dd34f7cdbbc586f|IMPHASH=2ece23bdef16ee294bd905c7ba1be589|IMPHASH=e800cd3299d4cda0d9e02255acc3b7dd|IMPHASH=a86fb9a41955bda815ab902fb58baa27|IMPHASH=2f7ea575cf15da16c8f117eee37046d8|IMPHASH=223a76f59831e1a59980b603f81c271d|IMPHASH=c17c0bd619c1e188ffe27bd328dd7d08|IMPHASH=1429d5c551f71d3ce6a7cc54c9348e95|IMPHASH=3552d8a0022e7f3136b667e6d1e402f2|IMPHASH=67d92a28cd2923a923adf7fd958905d8|IMPHASH=3c9af2347198d96c8ab5b189b4e3db37|IMPHASH=f43aa654b4bfb882a0af098ad3f899e9|IMPHASH=518e77c070ae21af7c558962cd1854a3|IMPHASH=8e96d1a56746c6f6f30f1a0963ce2f26|IMPHASH=b19743993dc7f1d48b2a86fe9b9c91e3|IMPHASH=acd1b0130287133223d26c91f27f6899|IMPHASH=82942c060f79cefd3bf1acdf5c207561|IMPHASH=bc5c06a7fa9555f3f34043d828d9b123|IMPHASH=ccdeab2a83fbf2fef2e418cccd133ec1|IMPHASH=2424cf613f90884493009dd6bee95693|IMPHASH=5c77661ac2951da388949d9a834eb694|IMPHASH=2a20cc9578bb34a4bb10b87b49b24982|IMPHASH=3ee1cb6085fbe05e46e2b88493426848|IMPHASH=cb876abd8c6ca8a47d50aec4a520a020|IMPHASH=80ae2342fd6c7f5e1c642918e33dafb1|IMPHASH=aa274f6b4b15691fd725d7044f98bf36|IMPHASH=5e4c9e685f9b7d77c90ff710972bb7dd|IMPHASH=4fb06df8cb54846e42943f0d3ae96e2f|IMPHASH=74cc5d779ee7dbc9f389bab9dcccac50|IMPHASH=0707fe3c02c8d2a4d6219bd0596d76f3|IMPHASH=7863a0f25a0647ed7d52641222bd709a|IMPHASH=75018719e85e67b75e73c57d682dbcbf|IMPHASH=e08b2d7c450761f01ec9ed4ef0ca56a4|IMPHASH=2263350df91a5a4f5e10e68b3b822029|IMPHASH=6f0b9814da4da038669c47e77c2f268f|IMPHASH=9fb64527ca6d4541cc256b1abd1e4101|IMPHASH=27db67ffa112f866f1d34c32226e09cf|IMPHASH=5bb79a6caa12076a6d140085cb53892e|IMPHASH=d169b0949781ca2a6efea5a106266a02|IMPHASH=5a50a9a44f5d36af5df1bde995d22e42|IMPHASH=626c8ecbc636968157d73f18ac315926|IMPHASH=f12ae9073d95c22ed89247253d59f500|IMPHASH=44cbd2ee295f1a35795eb4cd7cdd0864|IMPHASH=840e656bdb2987fa422092ec9d588895|IMPHASH=d57ef6278dcd7049063e8fb6ade9effc|IMPHASH=392aa6863da8d7c14ad7386026e93b58|IMPHASH=5662b51943d85b7ca47a99cac81af985|IMPHASH=8418ac0d7aaa9015794e55ea54733342|IMPHASH=163436e69f8e582bdc1c1e6f735de23b|IMPHASH=24e4c876bb5db0b0e0a4e92f0a3d3a48|IMPHASH=3198fc43051f03c6c71587dbf232f75c|IMPHASH=9321f9c47129fbc728ead2710e22f1a5|IMPHASH=1a0d0d460994cfde55ee908d62330ee0|IMPHASH=82f5b92ccd99d13f4dd6ed6aaf0441bc|IMPHASH=634f3c43b014dc8845b086c9328a678c|IMPHASH=81acb4bb89ef49c4e7f30513b4750e53|IMPHASH=d61d30746681d0fda9bfd9e8af061b2a|IMPHASH=7453e39bd87c63550451ba2fa354dd8e|IMPHASH=bb437241f56020db0fcbf8f8629bdb07|IMPHASH=1e8ee6407390a2d52051bec21c771fdb|IMPHASH=7c24141cdcfc23f5eb0e2b6792d80740|IMPHASH=a7f2c2e8e9d6c90e28819d1a3ab84bc8|IMPHASH=1b0788bb68804273159b8ace9cba7ea3|IMPHASH=9521d8684357766840dbcac2b4cee67d|IMPHASH=b4c2607b2af5376910bf80b561e9a18a|IMPHASH=f138fdbc6c7fbf73e135717c7d7eac27|IMPHASH=82525a4a571f0f8d4e4f42ec6bb3900e|IMPHASH=8bbc742eaed888736a715757f0584fb6|IMPHASH=be527e5f470fbc661f914c81bfc9af38|IMPHASH=ad374977f06fefefbb9c77155f7a0733|IMPHASH=111e6d92e02f02f737654c5b1cfe9f6f|IMPHASH=31907ffcac211e27136b14bb2f442070|IMPHASH=60e068470635cf20cc19b7f8e8cbfc5f|IMPHASH=8a5edbe5251fe141ea0262d5d572178b|IMPHASH=0265c50548889ffd5c2d3a2539885efe|IMPHASH=9376f1c4ab79240cc948b77bf9e8814b|IMPHASH=82b2288ac7f842e42de15c5bc96f1772|IMPHASH=317f02ddc9809d608a9bf63ce24e9550|IMPHASH=65abf5c92cc2239f2dc9d589458569c9|IMPHASH=12fef92a55cb5e1533b89d8e6a5892b2|IMPHASH=fd133033a24971502ff0b2f189215c56|IMPHASH=050d389675730da0d9d75367659cd53b|IMPHASH=c590cbf2d6cbf206a2e47e8ed91dd944|IMPHASH=505e0a016962137ca6169bce64ba2f53|IMPHASH=02a27dc9a48b694b7df4b821eb65178c|IMPHASH=bfe13c695e41d3eee414d3929b1bd523|IMPHASH=5095ddaed3abc22c1510a141d72735cc|IMPHASH=8f96c3ef5dda3fe697d4a4d6326dbe37|IMPHASH=e1ecbd956bd016618b07e7dddcaf6e60|IMPHASH=07a42e80559d960b176c0fc8fd309bfe|IMPHASH=f86759bb4de4320918615dc06e998a39|IMPHASH=c9f08d92efe88afb2545eb82a8870233|IMPHASH=6b867dee14a77d0ada8ccad99b16291e|IMPHASH=744af2b62301859b4ccdffba53551b15|IMPHASH=ec5ee9a38e54ed3d4a6e6545672cb651|IMPHASH=c3c9e6c0c33bad17eb055ec795fc113e|IMPHASH=31a3c2c72c9a565dc4ba75ef26677569|IMPHASH=7bc998aaa9fe4b4fd5e133554f42d913|IMPHASH=bb981f82c2bfc3c22471df92d9d0fb89|IMPHASH=ad34ea17f90a34f6f84a399a96383ada|IMPHASH=30c0ed518c03fa46fa0bfe76f2db0e42|IMPHASH=587191d77c08023e6e95463153e45463|IMPHASH=c83f076c00d2b0a6ba9dc82f56a97631|IMPHASH=cb8db41ab8c06472574e58b9466f4070|IMPHASH=391ffad95759bc4bac2b737d0d0eaa84|IMPHASH=c52384bc825d2414de3195672971339e|IMPHASH=b0e74761cced2dde5173ae05ec562085|IMPHASH=4bd0bd7710a7f71d38f056241c8ce0a7|IMPHASH=ad0cdf3bab32983050527655bce40f96|IMPHASH=e1a5435877b427be967867a25b1d263e|IMPHASH=61b719638eacc2c5ca299805d4819e69|IMPHASH=7687d0eba49315582228ef660f61b471|IMPHASH=e7cbb1ce75bfc69f53855066a936042d|IMPHASH=bc44fdc145156a15d0a803d18877b218|IMPHASH=d5e7fc56a905088dbc79b8e27b98faea|IMPHASH=3702511999371bac8982d01820dd70f2|IMPHASH=d14ea0e632fc8485d77e7eba3c4d4537|IMPHASH=2e7d3b001306473cbff3d0dc11a6fcbc|IMPHASH=e717a2158439123c6fca79b6b2c0ba49|IMPHASH=6736c04d5ff512e5e2eb608414276513|IMPHASH=225e24ee3c4081a16ef32831b70bf8ef|IMPHASH=48028b3b694466c1c0eb1d91ef5c02cb|IMPHASH=37f7c6238c9ce110408e01ae1bc45635|IMPHASH=b95bc1a99081d695b1c0b37b90a4a0be|IMPHASH=78eaf4d62617f6b614d318cc70c6548a|IMPHASH=55db306bc2be3ff71a6b91fd9db051b8|IMPHASH=021fd02a8adad420116496b6f2759960|IMPHASH=b3e26c5e0de2d01597dca208ef27cc38|IMPHASH=67affe6126c1d4a774b2504061c96a2e|IMPHASH=656ad5c2eac95f75d3fe6d5ca59e0d8d|IMPHASH=5ea78a193212fe61ac722f45f0b0eab9|IMPHASH=77ec8b2c372741f12098f084a13a56a8|IMPHASH=f27327907e57c0c2c9fddc68eab2eb7b|IMPHASH=b679ac08daf4b4ce8a58d85a8e0904ac|IMPHASH=f2c2ee1ff03c54f384f4eee8c2533107|IMPHASH=c12f7aec6ebe84a8390c82720adfc237|IMPHASH=0a8eeabf5981efb2116244785cb03900|IMPHASH=7f8c74638fcf297f8216aa5b184f61d6|IMPHASH=d41fa95d4642dc981f10de36f4dc8cd7|IMPHASH=8d616e68080def2200312de80392efa7|IMPHASH=cde9174249f04dad0f79890c976c0792|IMPHASH=858ceae385cdcfcbc7814644564c23e6|IMPHASH=d232ae5bad7ce02f4eece90ef370c7a0|IMPHASH=c7f08aed5725fe6a53a62ebe354ff135|IMPHASH=cc81a908891587ccac8059435eda4c66|IMPHASH=bd4f9a93da2bb4b5f6e90d4f9381661c|IMPHASH=01aa65221a48929f0a34a27c4e3011b1|IMPHASH=409d2ab916237fb129c57aacbb7cb4fe|IMPHASH=65181bc89a1c2b5854548236269846c1|IMPHASH=787e32b3fd816479fb93f9af0b6d0da3|IMPHASH=8e89024d2c0ef0451c12b956a2b55b91|IMPHASH=0cba56fa162378bc4ee09e94a4e2fe33|IMPHASH=b7a0100fe60d7a8263da64820f7d0120|IMPHASH=d16f507665603095c26147a7adcb93b8|IMPHASH=0b663530751cc11f34273fee7921c431|IMPHASH=604b5bd94f1892fd9e9025ef7a2bbe54|IMPHASH=cb8397a3262c80b558aff93ab75b6a7b|IMPHASH=d6c920c10d4d0f92f0ac14c3fefed233|IMPHASH=9fd359d308a1e93106189b4ebd945855|IMPHASH=c94e5ad0f33374535392364a5a193253|IMPHASH=751c6b5c201f8c52f5512350cad88ddc|IMPHASH=eac62dd0c27ed557fa4b641fa4050d04|IMPHASH=506a31d768aec26b297c45b50026c820|IMPHASH=60805da513b95c3d18a93b988bdfb58f|IMPHASH=3aa0ceb8fcd07cf2514d1cb0b9bccf4b|IMPHASH=c1579e4266fbdc47a5abc493a2d9d597|IMPHASH=adfd4c0b031598afecb6f3f585f5f581|IMPHASH=7a286ef4179598007a8afe9e5af95a48|IMPHASH=c7912c850407aa93c979d95c4f593507|IMPHASH=bec5dc89f030df7a96d19483fad4cc0a|IMPHASH=b91054cdc4c8b3169cfe6c157f6d9f07|IMPHASH=d67b7c7501e5261df5e66b3219fa52ee|IMPHASH=b142d772a67c40535c8d8fabb6861748|IMPHASH=1957e33acbc826c69f452ae1d1b89ac9|IMPHASH=7a4a0df0bde1f8da6547a580d5bee7c3|IMPHASH=085a78615099ffefa2df0a31da3058d8|IMPHASH=e804d4ee2c20f3eb1d3c955e38a2fe11|IMPHASH=6f2d756d22c285a46206de3bfde6c79d|IMPHASH=071356ee9d8c7f91cbe8fa3c448286a2|IMPHASH=ebf30b4cd57a4f4548a03eab0f6c418c|IMPHASH=08ab07a2bc35aea02cd6d1efbb954cb3|IMPHASH=cb15f8046e159c17b0510738fa18f758|IMPHASH=07a513d1599c93bd34f01323b1ef7430|IMPHASH=2430f988dcdc3828f6079e1e2cc71dc8|IMPHASH=8b41eacbfbe5f5348579e27d30767e74|IMPHASH=afee876e89b51e2cc7c91353fb588fe6|IMPHASH=e11e41c95c1872ac3ebbd7768b16cf9e|IMPHASH=e9077c03c44a511c2c8eaf5bad9ab90b|IMPHASH=d6d76f43ccc3872b879b0df583364c78|IMPHASH=62dbb90b4be9282d52aff9ae1a101d6b|IMPHASH=3ec1e7e215efad2711248558465da9ad|IMPHASH=96f270be3f73ec3fc2f2237fe84efca0|IMPHASH=9ad5f7496f8c918d6c0536751d3accae|IMPHASH=b1ed268dfdf4f39960971eb5822a4755|IMPHASH=4c0161f638d5acafe23fcee3c5e86f15|IMPHASH=9928d53dbe860aba1b7c891831680629|IMPHASH=d122c1eaa50839be14c31876d0d4e0be|IMPHASH=8f4588156ea7d9af8e4c162ce4c3ff23|IMPHASH=abdaca21ab5c831000b0aa4b8f357716|IMPHASH=0555907292d07d9f78205416eb1924d3|IMPHASH=832f0fb3579a07b1c4bec82b4478306b|IMPHASH=340e874a1ca966e45fc2a314ef228cce|IMPHASH=b35d1d3faa6c97b106b343823d5df867|IMPHASH=7e1327419d10a7eeece5579526f75d9f|IMPHASH=084b99aebda8a13e4f774a2ced272e85|IMPHASH=81ba5280406320ce6f03a9817d7d6035|IMPHASH=e4f1a9234e4ea105321909d4c0e597ae|IMPHASH=68a12eb3f32f7e193bd0d722ea6be4ab|IMPHASH=c3fd2e688276a184b2528ee590054e5a|IMPHASH=531d2392dbdd314fb1d9318fe9e5c4d2|IMPHASH=29a1da8841f5363423dcba1a9773809a|IMPHASH=9fc4a96d982ebfd6b9d87c0f3ebef681|IMPHASH=304c4fcf70cfc8299a3b6eed8e7bbb31|IMPHASH=3415f704b3149ea9a3d3a54036b208dd|IMPHASH=7cf815757705e26b809574488ed56d0e|IMPHASH=28d780857f0f6616f938aca3a38b5072|IMPHASH=235102691b04f562ae8aa7ece38d8bc9|IMPHASH=262d8fbbf1f514399bb3f230cddc12af|IMPHASH=0f3ddbe229201f6fa9a3dbbaf842a556|IMPHASH=bd093a7d5ba5632ee52f3466a688ee55|IMPHASH=a9e22f5e8f4965960716d94ba7639c9f|IMPHASH=528ac7a1e034801d1f20238971c6ec19|IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4|IMPHASH=7c8c655791b5c853e45aa174e5cc1333|IMPHASH=a53b095a8d7366075d445892070cde51|IMPHASH=f079f8637a1d4fe2fb93af2a267b68ef|IMPHASH=0ebd5902a82ddfef8ed96678c1573a7b|IMPHASH=9a970527986cd03e5a25d18b372624a1|IMPHASH=87fde0c3f8e7dff7ab0d718d6b1252c8|IMPHASH=959dce366573a7aae10b74a08931722a|IMPHASH=fce118020e70919e5c8c629687f89e56|IMPHASH=86682585c620fa85096a7bedaf990cd1|IMPHASH=5f9cf5b0511f3c1129b467d273b921f2|IMPHASH=543f80399f79401471523d335ea61642|IMPHASH=3ca448454c33a5c72ad5e774de47930a|IMPHASH=51ecd9b363fde1f003f4b4f20c874b1b|IMPHASH=1f2627fc453dc35031a9502372bd3549|IMPHASH=2cf48a541dc193e91bb2a831adcf278e|IMPHASH=805e4a267f9495e7c0c430d92b78f8bd|IMPHASH=92caaf6ebb43bbe61f3da8526172f776|IMPHASH=421730c2b3fa3a7d78c2eda3da1be6a8|IMPHASH=aa54fa0523f677e56d6d8199e5e18732|IMPHASH=8ee2435c62b02fe0372cde028be489cb|IMPHASH=50b6a9c4df6d0c9f517c804ad1307d7c|IMPHASH=037b9d19995faadf69a2ce134473e346|IMPHASH=2c19472843b56c67efb80d8c447f3cfe|IMPHASH=a74f61fdcea718cb9579907b2caf54ab|IMPHASH=84d45ee8df6f63b5af419d89003a97bc|IMPHASH=69dbb4c8bbe4d8c2e1493f82170b93c4|IMPHASH=6903b92e7760c5d7f7c181b64eb13176|IMPHASH=d6f977640d4810a784d152e4d3c63a6b|IMPHASH=473c3773ca11aa7371dbf350919c5724|IMPHASH=87842ffa59724bda8389394bcaeb5d73|IMPHASH=18502b56d9ea5dea7f9d31ef85db31d5|IMPHASH=b6f67458e30912358144df4adf5264fd|IMPHASH=a49a51d7f2ae972483961eb64d17888e|IMPHASH=81e2eb25e24938b90806de865630a2b2|IMPHASH=96861132665e8d66c0a91e6c02cc6639|IMPHASH=69163e5596280d3319375c9bcd4b5da1|IMPHASH=4946030efb34ab167180563899d5eb27|IMPHASH=4c304943af1b07b15a5efa80f17d9b89|IMPHASH=821d74031d3f625bcbd0df08b70f1e77|IMPHASH=1bef18e9dda6f1e7bbf7eb76e9ccf16b|IMPHASH=21f58b1f2de6ad0e9c019da7a4e7317b|IMPHASH=91387ac37086b9b519f945b58095f38d|IMPHASH=dcd41632f0ad9683e5c9c7cc083f78f7|IMPHASH=ced7ea67fdf3d89a48849e0062278f7d|IMPHASH=5713a0c2b363c49706fa0e60151511a8|IMPHASH=089e8a8f2bb007852c63b64e66430293|IMPHASH=383be1d728b0be96be1b810a131705ee|IMPHASH=3d42ff70269b824dd9d4a8cb905669f9|IMPHASH=363922cc73591e60f2af113182414230|IMPHASH=fa084cdc36f03f1aeddaa3450e2781b1|IMPHASH=3c61f9a38aaa7650fcd33b46e794d1bb|IMPHASH=42e3f2ffa29901e572f2df03cb872159|IMPHASH=4c5fc4519f1417f0630c3343aab7c9d2|IMPHASH=d5d40497d82daf7e44255ede810ce7a6|IMPHASH=91ee149529956a79a91eeb8c48f00b3d|IMPHASH=a387f215b4964a3ca2e3c92f235a6d1b|IMPHASH=ca6e77f472ebd5b2ade876e7c773bb57|IMPHASH=67bace81ce26ddf73732dd75cbd0c0f2|IMPHASH=18b8de84bd7aa83fec79d2c6aaf0a4f5|IMPHASH=519cf5394541bf5e2869edeec81521e1|IMPHASH=cae90f82e91b9a60af9a0e36c1f73be4|IMPHASH=643f4d79f35dddc9bb5cc04a0f0c18d3|IMPHASH=6b7d4c6283b9b951b7b2f47a0c5be8c7|IMPHASH=b4c857bd3a7b1d8125c0f62aec45401e|IMPHASH=49a12b06131d938e9dc40c693b88ba7f|IMPHASH=f74aa24adc713dbb957ccb18f3c16a71|IMPHASH=6faad89adbfc9d5448bb1bd12e7714cd|IMPHASH=5759d90322a7311eaccf4f0ab2c2a7c4|IMPHASH=8b6c1a09e11200591663b880a94a8d18|IMPHASH=eade2a2576f329e4971bf5044ab24ac7|IMPHASH=8b47d6faba90b5c89e27f7119c987e1a|IMPHASH=4433528b0f664177546dd3e229f0daa5|IMPHASH=c0f234205c50cc713673353c9653eea1|IMPHASH=b4b90c1b054ebe273bff4b2fd6927990|IMPHASH=f2dc136141066311fddef65f7f417c44|IMPHASH=12a08688ec92616a8b639d85cc13a3ed|IMPHASH=296afaa5ea70bbd17135afcd04758148|IMPHASH=8232d2f79ce126e84cc044543ad82790|IMPHASH=e10e743d152cf62f219a7e9192fb533d|IMPHASH=e5af2438da6df2aa9750aa632c80cfa4|IMPHASH=3a4e0bc46866ca54459753f62c879b62|IMPHASH=10cb3185e13390f8931a50a131448cdf|IMPHASH=4fb27d2712ef4afdb67e0921d64a5f1e|IMPHASH=a96a02cf5f7896a9a9f045d1986bd83c|IMPHASH=fd894d394a8ca9abd74f7210ed931682|IMPHASH=ca07de87d444c1d2d10e16e9dcc2dc19|IMPHASH=1aa10b05dee9268d7ce87f5f56ea9ded|IMPHASH=485f7e86663d49c68c8b5f705d310f50|IMPHASH=5899e93373114ca9e458e906675132b7|IMPHASH=be2d638c3933fc3f5a96e539f9910c5f|IMPHASH=fbfa302bf7eb5d615d0968541ee49ce4|IMPHASH=f9b9487f25a2c1e08c02f391387c5323|IMPHASH=ef102e058f6b88af0d66d26236257706|IMPHASH=0f371a913e9fa3ba3a923718e489debb</field>
    </rule>
    <rule id="900428" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Vulnerable Driver Load By Name</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+panmonfltx64\.sys|\\+dbutil\.sys|\\+fairplaykd\.sys|\\+nvaudio\.sys|\\+superbmc\.sys|\\+bsmi\.sys|\\+smarteio64\.sys|\\+bwrsh\.sys|\\+agent64\.sys|\\+asmmap64\.sys|\\+dellbios\.sys|\\+chaos\-rootkit\.sys|\\+wcpu\.sys|\\+dh_kernel\.sys|\\+sbiosio64\.sys|\\+bw\.sys|\\+asrdrv102\.sys|\\+nt6\.sys|\\+mhyprot3\.sys|\\+winio64c\.sys|\\+asupio64\.sys|\\+blackbonedrv10\.sys|\\+d\.sys|\\+driver7\-x86\.sys|\\+sfdrvx32\.sys|\\+enetechio64\.sys|\\+gdrv\.sys|\\+sysinfodetectorx64\.sys|\\+fh\-ethercat_dio\.sys|\\+asromgdrv\.sys|\\+my\.sys|\\+dcprotect\.sys|\\+irec\.sys|\\+gedevdrv\.sys|\\+winio32a\.sys|\\+gvcidrv64\.sys|\\+winio32\.sys|\\+bs_hwmio64\.sys|\\+nstr\.sys|\\+inpoutx64\.sys|\\+hw\.sys|\\+winio64\.sys|\\+hpportiox64\.sys|\\+iobitunlocker\.sys|\\+b1\.sys|\\+aoddriver\.sys|\\+elbycdio\.sys|\\+protects\.sys|\\+kprocesshacker\.sys|\\+speedfan\.sys|\\+radhwmgr\.sys|\\+iscflashx64\.sys|\\+black\.sys|\\+b4\.sys|\\+hwos2ec10x64\.sys|\\+winflash64\.sys|\\+corsairllaccess64\.sys|\\+bs_i2cio\.sys|\\+d3\.sys|\\+windows\-xp\-64\.sys|\\+aswvmm\.sys|\\+bs_i2c64\.sys|\\+1\.sys|\\+nchgbios2x64\.sys|\\+cpuz141\.sys|\\+segwindrvx64\.sys|\\+tdeio64\.sys|\\+ntiolib\.sys|\\+gtckmdfbs\.sys|\\+iomap64\.sys|\\+avalueio\.sys|\\+semav6msr\.sys|\\+lgdcatcher\.sys|\\+b\.sys|\\+hwdetectng\.sys|\\+nt4\.sys|\\+tgsafe\.sys|\\+mydrivers\.sys|\\+eneio64\.sys|\\+procexp\.sys|\\+viragt64\.sys|\\+fpcie2com\.sys|\\+lenovodiagnosticsdriver\.sys|\\+cp2x72c\.sys|\\+kerneld\.amd64|\\+bs_def64\.sys|\\+piddrv\.sys|\\+amifldrv64\.sys|\\+cpuz_x64\.sys|\\+proxy32\.sys|\\+wsdkd\.sys|\\+t8\.sys|\\+ucorew64\.sys|\\+atszio\.sys|\\+lmiinfo\.sys|\\+80\.sys|\\+nt3\.sys|\\+ngiodriver\.sys|\\+lv561av\.sys|\\+gpcidrv64\.sys|\\+fd3b7234419fafc9bdd533f48896ed73_b816c5cd\.sys|\\+rtport\.sys|\\+full\.sys|\\+viragt\.sys|\\+fiddrv64\.sys|\\+cupfixerx64\.sys|\\+cpupress\.sys|\\+hwos2ec7x64\.sys|\\+driver7\-x86\-withoutdbg\.sys|\\+asrdrv10\.sys|\\+nvflsh64\.sys|\\+asrrapidstartdrv\.sys|\\+tmcomm\.sys|\\+wiseunlo\.sys|\\+rwdrv\.sys|\\+asio64\.sys|\\+nvoclock\.sys|\\+panio\.sys|\\+mtcbsv64\.sys|\\+amigendrv64\.sys|\\+capcom\.sys|\\+netflt\.sys|\\+phlashnt\.sys|\\+dbutil_2_3\.sys|\\+ni\.sys|\\+ntiolib_x64\.sys|\\+atszio64\.sys|\\+lgcoretemp\.sys|\\+lha\.sys|\\+phymem64\.sys|\\+dbutildrv2\.sys|\\+asrdrv103\.sys|\\+rtcore64\.sys|\\+bs_hwmio64_w10\.sys|\\+ene\.sys|\\+winio64b\.sys|\\+piddrv64\.sys|\\+directio32\.sys|\\+monitor_win10_x64\.sys|\\+nt5\.sys|\\+asrsmartconnectdrv\.sys|\\+rtif\.sys|\\+atillk64\.sys|\\+directio\.sys|\\+asribdrv\.sys|\\+kfeco11x64\.sys|\\+citmdrv_ia64\.sys|\\+sysdrv3s\.sys|\\+amp\.sys|\\+vboxdrv\.sys|\\+adv64drv\.sys|\\+hostnt\.sys|\\+phymem_ext64\.sys|\\+echo_driver\.sys|\\+winiodrv\.sys|\\+pdfwkrnl\.sys|\\+glckio2\.sys|\\+asrdrv106\.sys|\\+nscm\.sys|\\+bs_rcio64\.sys|\\+ncpl\.sys|\\+sandra\.sys|\\+fiddrv\.sys|\\+hwrwdrv\.sys|\\+mhyprot\.sys|\\+asrsetupdrv103\.sys|\\+iqvw64\.sys|\\+b3\.sys|\\+ssport\.sys|\\+bs_def\.sys|\\+computerz\.sys|\\+windows8\-10\-32\.sys|\\+nstrwsk\.sys|\\+lurker\.sys|\\+bsmemx64\.sys|\\+wyproxy64\.sys|\\+asio\.sys|\\+t3\.sys|\\+cpuz\.sys|\\+rtkio\.sys|\\+driver7\-x64\.sys|\\+netfilterdrv\.sys|\\+ioaccess\.sys|\\+testbone\.sys|\\+gameink\.sys|\\+kevp64\.sys|\\+mhyprot2\.sys|\\+se64a\.sys|\\+vboxusb\.sys|\\+windows7\-32\.sys|\\+vproeventmonitor\.sys|\\+winio64a\.sys|\\+asrdrv101\.sys|\\+netproxydriver\.sys|\\+elrawdsk\.sys|\\+zam64\.sys|\\+cg6kwin2k\.sys|\\+asupio\.sys|\\+stdcdrvws64\.sys|\\+81\.sys|\\+citmdrv_amd64\.sys|\\+amdryzenmasterdriver\.sys|\\+vmdrv\.sys|\\+sysinfo\.sys|\\+alsysio64\.sys|\\+directio64\.sys|\\+rzpnk\.sys|\\+amdpowerprofiler\.sys|\\+truesight\.sys|\\+wirwadrv\.sys|\\+phymemx64\.sys|\\+msio64\.sys|\\+sepdrv3_1\.sys|\\+gametersafe\.sys|\\+bs_rcio\.sys|\\+d4\.sys|\\+t\.sys|\\+eio\.sys|\\+nt2\.sys|\\+winring0\.sys|\\+physmem\.sys|\\+libnicm\.sys|\\+msio32\.sys|\\+asrautochkupddrv\.sys|\\+asio32\.sys|\\+etdsupp\.sys|\\+smep_namco\.sys|\\+bandai\.sys|\\+d2\.sys|\\+magdrvamd64\.sys|\\+nvflash\.sys|\\+goad\.sys|\\+proxy64\.sys|\\+amsdk\.sys|\\+kbdcap64\.sys|\\+vdbsv64\.sys|\\+pchunter\.sys|\\+sysconp\.sys|\\+dh_kernel_10\.sys|\\+msrhook\.sys|\\+bedaisy\.sys|\\+dcr\.sys|\\+panmonflt\.sys|\\+bsmixp64\.sys|\\+otipcibus\.sys|\\+fidpcidrv\.sys|\\+kfeco10x64\.sys|\\+asrdrv104\.sys|\\+c\.sys|\\+tdklib64\.sys|\\+bsmix64\.sys|\\+bs_flash64\.sys|\\+stdcdrv64\.sys|\\+naldrv\.sys|\\+ctiio64\.sys|\\+bwrs\.sys|\\+nicm\.sys|\\+winio32b\.sys|\\+paniox64\.sys|\\+ecsiodriverx64\.sys|\\+iomem64\.sys|\\+fidpcidrv64\.sys|\\+aswarpot\.sys|\\+bs_rciow1064\.sys|\\+asmio64\.sys|\\+openlibsys\.sys|\\+viraglt64\.sys|\\+dbk64\.sys|\\+t7\.sys|\\+atlaccess\.sys|\\+nbiolib_x64\.sys|\\+smep_capcom\.sys|\\+iqvw64e\.sys)$</field>
    </rule>
    <rule id="900429" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable HackSys Extreme Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+HEVD\.sys)$</field>
    </rule>
    <rule id="900430" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable HackSys Extreme Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5|IMPHASH=c46ea2e651fd5f7f716c8867c6d13594</field>
    </rule>
    <rule id="900431" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable HackSys Extreme Vulnerable Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:f26d0b110873a1c7d8c4f08fbeab89c5|c46ea2e651fd5f7f716c8867c6d13594)$</field>
    </rule>
    <rule id="900432" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable WinRing0 Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+WinRing0x64\.sys|\\+WinRing0\.sys|\\+WinRing0\.dll|\\+WinRing0x64\.dll|\\+winring00x64\.sys)$</field>
    </rule>
    <rule id="900433" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable WinRing0 Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7</field>
    </rule>
    <rule id="900434" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Vulnerable WinRing0 Driver Load</description>
        <options>no_full_log</options>
        <group>windows,driver_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:d41fa95d4642dc981f10de36f4dc8cd7)$</field>
    </rule>
    <rule id="900435" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1599.001</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>WinDivert Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+WinDivert\.sys|\\+WinDivert64\.sys|\\+NordDivert\.sys|\\+lingtiwfp\.sys|\\+eswfp\.sys</field>
    </rule>
    <rule id="900436" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1599.001</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>WinDivert Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=0604bb7cb4bb851e2168d5c7d9399087|IMPHASH=2e5f0e649d97f32b03c09e4686d0574f|IMPHASH=52f8aa269f69f0edad9e8fcdaedce276|IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76|IMPHASH=58623490691babe8330adc81cd04a663|IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b|IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96|IMPHASH=a1b2e245acd47e4a348e1a552a02859a|IMPHASH=2a5f85fe4609461c6339637594fa9b0a|IMPHASH=6b2c6f95233c2914d1d488ee27531acc|IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342|IMPHASH=d8a719865c448b1bd2ec241e46ac1c88|IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38|IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6|IMPHASH=a74929edfc3289895e3f2885278947ae|IMPHASH=a66b476c2d06c370f0a53b5537f2f11e|IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4|IMPHASH=c28cd6ccd83179e79dac132a553693d9</field>
    </rule>
    <rule id="900437" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1599.001</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>WinDivert Driver Load</description>
        <options>no_full_log</options>
        <group>driver_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:0604bb7cb4bb851e2168d5c7d9399087|2e5f0e649d97f32b03c09e4686d0574f|52f8aa269f69f0edad9e8fcdaedce276|c0e5d314da39dbf65a2dbff409cc2c76|58623490691babe8330adc81cd04a663|8ee39b48656e4d6b8459d7ba7da7438b|45ee545ae77e8d43fc70ede9efcd4c96|a1b2e245acd47e4a348e1a552a02859a|2a5f85fe4609461c6339637594fa9b0a|6b2c6f95233c2914d1d488ee27531acc|9f2fdd3f9ab922bbb0560a7df46f4342|d8a719865c448b1bd2ec241e46ac1c88|0ea54f8c9af4a2fe8367fa457f48ed38|9d519ae0a0864d6d6ae3f8b6c9c70af6|a74929edfc3289895e3f2885278947ae|a66b476c2d06c370f0a53b5537f2f11e|bdcd836a46bc2415773f6b5ea77a46e4|c28cd6ccd83179e79dac132a553693d9)$</field>
    </rule>
    <rule id="900438" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+Appdata\\+Local\\+Microsoft\\+Windows\\+WebCache\\+WebCacheV01\.dat)</field>
    </rule>
    <rule id="900439" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+cookies\.sqlite|release\\+key3\.db|release\\+key4\.db|release\\+logins\.json)</field>
    </rule>
    <rule id="900440" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Appdata\\+Local\\+Chrome\\+User\ Data\\+Default\\+Login\ Data|\\+AppData\\+Local\\+Google\\+Chrome\\+User\ Data\\+Default\\+Network\\+Cookies|\\+AppData\\+Local\\+Google\\+Chrome\\+User\ Data\\+Local\ State</field>
    </rule>
    <rule id="900441" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+SysWOW64\\+</field>
    </rule>
    <rule id="900442" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Access To Browser Credential Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MpCopyAccelerator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
    </rule>
    <rule id="900443" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
            <id>attack.credential_access</id>
        </mitre>
        <description>Credential Manager Access By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Credentials\\+|\\+AppData\\+Roaming\\+Microsoft\\+Credentials\\+|\\+AppData\\+Local\\+Microsoft\\+Vault\\+|\\+ProgramData\\+Microsoft\\+Vault\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="900444" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.004</id>
        </mitre>
        <description>Access To Windows DPAPI Master Keys By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Microsoft\\+Protect\\+S\-1\-5\-18\\+|\\+Microsoft\\+Protect\\+S\-1\-5\-21\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="900445" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1112</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Access To .Reg/.Hive Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.hive|\.reg)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="900446" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.004</id>
        </mitre>
        <description>Access To Windows Credential History File By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Protect\\+CREDHIST)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
    </rule>
    <rule id="900447" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Access To Potentially Sensitive Sysvol Files By Uncommon Application</description>
        <options>no_full_log</options>
        <group>file_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\\+)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+sysvol\\+</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\\+Policies\\+</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:audit\.csv|Files\.xml|GptTmpl\.inf|groups\.xml|Registry\.pol|Registry\.xml|scheduledtasks\.xml|scripts\.ini|services\.xml)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Windows\\+explorer\.exe)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Windows\\+system32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?::\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="900448" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1070.006</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>File Creation Date Changed to Another Year</description>
        <options>no_full_log</options>
        <group>file_change,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:2022)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:2022)</field>
    </rule>
    <rule id="900449" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1070.006</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>File Creation Date Changed to Another Year</description>
        <options>no_full_log</options>
        <group>file_change,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:2022)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:202)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:202)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+ProvTool\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+usocoreworker\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+USOPrivate\\+UpdateStore\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.temp)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.cab)$</field>
    </rule>
    <rule id="900450" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Unusual File Modification by dns.exe</description>
        <options>no_full_log</options>
        <group>file_change,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dns\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+dns\.log)$</field>
    </rule>
    <rule id="900451" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574</id>
            <id>cve.2021.1675</id>
        </mitre>
        <description>Potential PrintNightmare Exploitation Attempt</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+Windows\\+System32\\+spool\\+drivers\\+x64\\+3\\+</field>
    </rule>
    <rule id="900452" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Backup Files Deleted</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wt\.exe|\\+rundll32\.exe|\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.VHD|\.bac|\.bak|\.wbcat|\.bkf|\.set|\.win|\.dsk)$</field>
    </rule>
    <rule id="900453" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>EventLog EVTX File Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+winevt\\+Logs\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.evtx)$</field>
    </rule>
    <rule id="900454" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>Exchange PowerShell Cmdlet History Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:\\+Logging\\+CmdletInfra\\+LocalPowerShell\\+Cmdlet\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)_Cmdlet_</field>
    </rule>
    <rule id="900455" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>IIS WebServer Access Logs Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+inetpub\\+logs\\+LogFiles\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.log)$</field>
    </rule>
    <rule id="900456" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>PowerShell Console History Logs Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+PSReadLine\\+ConsoleHost_history\.txt)$</field>
    </rule>
    <rule id="900457" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>Prefetch File Deleted</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+Windows\\+Prefetch\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.pf)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="900458" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>TeamViewer Log File Deleted</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+TeamViewer_</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.log)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+svchost\.exe)$</field>
    </rule>
    <rule id="900459" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>Tomcat WebServer Logs Deleted</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Tomcat</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+logs\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)catalina\.|_access_log\.|localhost\.</field>
    </rule>
    <rule id="900460" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>File Deleted Via Sysinternals SDelete</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.AAA|\.ZZZ)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+Wireshark\\+radius\\+dictionary\.alcatel\-lucent\.aaa)$</field>
    </rule>
    <rule id="900461" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Unusual File Deletion by Dns.exe</description>
        <options>no_full_log</options>
        <group>file_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dns\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+dns\.log)$</field>
    </rule>
    <rule id="900462" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.004</id>
        </mitre>
        <description>ADS Zone.Identifier Deleted By Uncommon Application</description>
        <options>no_full_log</options>
        <group>windows,file_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::Zone\.Identifier)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
    </rule>
    <rule id="900463" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Suspicious File Event With Teams Objects</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Teams\\+Cookies|\\+Microsoft\\+Teams\\+Local\ Storage\\+leveldb</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Teams\\+current\\+Teams\.exe</field>
    </rule>
    <rule id="900464" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Suspicious Unattend.xml File Access</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+unattend\.xml)$</field>
    </rule>
    <rule id="900465" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1001.003</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>ADSI-Cache File Creation By Uncommon Tool</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Local\\+Microsoft\\+Windows\\+SchCache\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sch)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Cylance\\+Desktop\\+CylanceSvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+CCM\\+CcmExec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+dsac\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+efsui\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+windows\\+system32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+ccmsetup\\+autoupgrade\\+ccmsetup</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+SentinelOne\\+Sentinel\ Agent</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
    </rule>
    <rule id="900466" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1001.003</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>ADSI-Cache File Creation By Uncommon Tool</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Local\\+Microsoft\\+Windows\\+SchCache\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sch)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+LANDesk\\+LDCLient\\+ldapwhoami\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+Receiver\ StoreFront\\+Services\\+DefaultDomainServices\\+Citrix\.DeliveryServices\.DomainServices\.ServiceHost\.exe)$</field>
    </rule>
    <rule id="900467" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>Advanced IP Scanner - File Event</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+Advanced\ IP\ Scanner\ 2</field>
    </rule>
    <rule id="900468" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Anydesk Temporary Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+AnyDesk\\+user\.conf|\\+AppData\\+Roaming\\+AnyDesk\\+system\.conf</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.temp)$</field>
    </rule>
    <rule id="900469" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Suspicious Binary Writes Via AnyDesk</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+anydesk\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+gcapi\.dll)$</field>
    </rule>
    <rule id="900470" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Assembly DLL Creation Via AspNetCompiler</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+aspnet_compiler\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Temporary\ ASP\.NET\ Files\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+assembly\\+tmp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="900471" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>BloodHound Collection Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:BloodHound\.zip|_computers\.json|_containers\.json|_domains\.json|_gpos\.json|_groups\.json|_ous\.json|_users\.json)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+pocket_containers\.json)$</field>
    </rule>
    <rule id="900472" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>EVTX Created In Uncommon Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.evtx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+winevt\\+Logs\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\\+Containers\\+BaseImages\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+Windows\\+System32\\+winevt\\+Logs\\+)$</field>
    </rule>
    <rule id="900473" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Creation Of Non-Existent System DLL</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+TSMSISrv\.dll|:\\+Windows\\+System32\\+TSVIPSrv\.dll|:\\+Windows\\+System32\\+wbem\\+wbemcomn\.dll|:\\+Windows\\+System32\\+WLBSCTRL\.dll|:\\+Windows\\+System32\\+wow64log\.dll|:\\+Windows\\+System32\\+WptsExtensions\.dll|\\+SprintCSP\.dll)$</field>
    </rule>
    <rule id="900474" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>New Custom Shim Database Created</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+Windows\\+apppatch\\+Custom\\+|:\\+Windows\\+apppatch\\+CustomSDB\\+</field>
    </rule>
    <rule id="900475" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious Screensaver Binary File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Kindle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Bin\\+ccSvcHst\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+uwfservicingscr\.scr)$</field>
    </rule>
    <rule id="900476" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Files With System Process Name In Unsuspected Locations</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AtBroker\.exe|\\+audiodg\.exe|\\+backgroundTaskHost\.exe|\\+bcdedit\.exe|\\+bitsadmin\.exe|\\+cmdl32\.exe|\\+cmstp\.exe|\\+conhost\.exe|\\+csrss\.exe|\\+dasHost\.exe|\\+dfrgui\.exe|\\+dllhost\.exe|\\+dwm\.exe|\\+eventcreate\.exe|\\+eventvwr\.exe|\\+explorer\.exe|\\+extrac32\.exe|\\+fontdrvhost\.exe|\\+ipconfig\.exe|\\+iscsicli\.exe|\\+iscsicpl\.exe|\\+logman\.exe|\\+LogonUI\.exe|\\+LsaIso\.exe|\\+lsass\.exe|\\+lsm\.exe|\\+msiexec\.exe|\\+msinfo32\.exe|\\+mstsc\.exe|\\+nbtstat\.exe|\\+odbcconf\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regini\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+RuntimeBroker\.exe|\\+schtasks\.exe|\\+SearchFilterHost\.exe|\\+SearchIndexer\.exe|\\+SearchProtocolHost\.exe|\\+SecurityHealthService\.exe|\\+SecurityHealthSystray\.exe|\\+services\.exe|\\+ShellAppRuntime\.exe|\\+sihost\.exe|\\+smartscreen\.exe|\\+smss\.exe|\\+spoolsv\.exe|\\+svchost\.exe|\\+SystemSettingsBroker\.exe|\\+taskhost\.exe|\\+taskhostw\.exe|\\+Taskmgr\.exe|\\+TiWorker\.exe|\\+vssadmin\.exe|\\+w32tm\.exe|\\+WerFault\.exe|\\+WerFaultSecure\.exe|\\+wermgr\.exe|\\+wevtutil\.exe|\\+wininit\.exe|\\+winlogon\.exe|\\+winrshost\.exe|\\+WinRTNetMUAHostServer\.exe|\\+wlanext\.exe|\\+wlrmdr\.exe|\\+WmiPrvSE\.exe|\\+wslhost\.exe|\\+WSReset\.exe|\\+WUDFHost\.exe|\\+WWAHost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+SystemRoot\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+\$WinREAgent\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+uus\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+System32\\+wuauclt\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+WINDOWS\\+system32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+SecurityHealth\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\\+SecurityHealthSystray\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SecurityHealthSetup\.exe)$</field>
    </rule>
    <rule id="900477" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>Creation Exe for Service with Unquoted Path</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+program\.exe)$</field>
    </rule>
    <rule id="900478" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
        </mitre>
        <description>Cred Dump Tools Dropped Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+fgdump\-log|\\+kirbi|\\+pwdump|\\+pwhashes|\\+wce_ccache|\\+wce_krbtkts</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+cachedump\.exe|\\+cachedump64\.exe|\\+DumpExt\.dll|\\+DumpSvc\.exe|\\+Dumpy\.exe|\\+fgexec\.exe|\\+lsremora\.dll|\\+lsremora64\.dll|\\+NTDS\.out|\\+procdump64\.exe|\\+pstgdump\.exe|\\+pwdump\.exe|\\+SAM\.out|\\+SECURITY\.out|\\+servpw\.exe|\\+servpw64\.exe|\\+SYSTEM\.out|\\+test\.pwd|\\+wceaux\.dll)$</field>
    </rule>
    <rule id="900479" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>WScript or CScript Dropper - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+|C:\\+ProgramData)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.jse|\.vbe|\.js|\.vba|\.vbs)$</field>
    </rule>
    <rule id="900480" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csexec_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>CSExec Service File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+csexecsvc\.exe)$</field>
    </rule>
    <rule id="900481" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic CSharp Compile Artefact</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.cmdline)$</field>
    </rule>
    <rule id="900482" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Potential DCOM InternetExplorer.Application DLL Hijack</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iertutil\.dll)$</field>
    </rule>
    <rule id="900483" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DLL Search Order Hijackig Via Additional Space in Path</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\ \\+|C:\\+Program\ Files\ \\+|C:\\+Program\ Files\ $x86$\ \\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900484" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious DMP/HDMP File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dmp|\.dump|\.hdmp)$</field>
    </rule>
    <rule id="900485" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Attempt Via ErrorHandler.Cmd</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+WINDOWS\\+Setup\\+Scripts\\+ErrorHandler\.cmd)$</field>
    </rule>
    <rule id="900486" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>GoToAssist Temporary Installation Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+LogMeInInc\\+GoToAssist\ Remote\ Support\ Expert\\+</field>
    </rule>
    <rule id="900487" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>CrackMapExec File Indicators</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+temp\.ps1|\\+msol\.ps1)$</field>
    </rule>
    <rule id="900488" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>CrackMapExec File Indicators</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+[a-zA-Z]{8}\.tmp$</field>
    </rule>
    <rule id="900489" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - Dumpert Process Dumper Default File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:dumpert\.dmp)$</field>
    </rule>
    <rule id="900490" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
            <id>cve.2021.36934</id>
        </mitre>
        <description>Typical HiveNightmare SAM File Export</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+hive_sam_|\\+SAM\-2021\-|\\+SAM\-2022\-|\\+SAM\-2023\-|\\+SAM\-haxx|\\+Sam\.save</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+windows\\+temp\\+sam)$</field>
    </rule>
    <rule id="900491" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Inveigh Execution Artefacts</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Inveigh\-Log\.txt|\\+Inveigh\-Cleartext\.txt|\\+Inveigh\-NTLMv1Users\.txt|\\+Inveigh\-NTLMv2Users\.txt|\\+Inveigh\-NTLMv1\.txt|\\+Inveigh\-NTLMv2\.txt|\\+Inveigh\-FormInput\.txt|\\+Inveigh\.dll|\\+Inveigh\.exe|\\+Inveigh\.ps1|\\+Inveigh\-Relay\.ps1)$</field>
    </rule>
    <rule id="900492" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
        </mitre>
        <description>Mimikatz Kirbi File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.kirbi|mimilsa\.log)$</field>
    </rule>
    <rule id="900493" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
        </mitre>
        <description>NPPSpy Hacktool Usage</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+NPPSpy\.txt|\\+NPPSpy\.dll)$</field>
    </rule>
    <rule id="900494" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.001</id>
        </mitre>
        <description>Powerup Write Hijack DLL</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
    </rule>
    <rule id="900495" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>QuarksPwDump Dump File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+SAM\-</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="900496" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Remote Credential Dumping Activity</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+System32\\+[a-zA-Z0-9]{8}\.tmp$</field>
    </rule>
    <rule id="900497" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>SafetyKatz Default Dump Filename</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Temp\\+debug\.bin)$</field>
    </rule>
    <rule id="900498" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
            <id>attack.t1574</id>
            <id>attack.t1574.001</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Initial Access via DLL Search Order Hijacking</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winword\.exe|\\+excel\.exe|\\+powerpnt\.exe|\\+MSACCESS\.EXE|\\+MSPUB\.EXE|\\+fltldr\.exe|\\+cmd\.exe|\\+certutil\.exe|\\+mshta\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+curl\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+OneDrive\\+|\\+Microsoft\ OneDrive\\+|\\+Microsoft\\+Teams\\+|\\+Local\\+slack\\+app\-|\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+api\-ms\-win\-core\-</field>
    </rule>
    <rule id="900499" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Installation of TeamViewer Desktop</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+TeamViewer_Desktop\.exe)$</field>
    </rule>
    <rule id="900500" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Malicious DLL File Dropped in the Teams or OneDrive Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)iphlpapi\.dll</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft</field>
    </rule>
    <rule id="900501" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO File Created Within Temp Folders</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.zip\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.iso)$</field>
    </rule>
    <rule id="900502" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO File Created Within Temp Folders</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Windows\\+INetCache\\+Content\.Outlook\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.iso)$</field>
    </rule>
    <rule id="900503" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>ISO or Image Mount Indicator in Recent Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.iso\.lnk|\.img\.lnk|\.vhd\.lnk|\.vhdx\.lnk)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Recent\\+</field>
    </rule>
    <rule id="900504" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>GatherNetworkInfo.VBS Reconnaissance Script Output</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+config)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Hotfixinfo\.txt|\\+netiostate\.txt|\\+sysportslog\.txt|\\+VmSwitchLog\.evtx)$</field>
    </rule>
    <rule id="900505" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+lsass\.dmp|\\+lsass\.zip|\\+lsass\.rar|\\+Andrew\.dmp|\\+Coredump\.dmp|\\+NotLSASS\.zip|\\+PPLBlade\.dmp)$</field>
    </rule>
    <rule id="900506" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass_2|\\+lsassdump|\\+lsassdmp</field>
    </rule>
    <rule id="900507" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="900508" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)SQLDmpr</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.mdmp)$</field>
    </rule>
    <rule id="900509" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Files</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:nanodump)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dmp)$</field>
    </rule>
    <rule id="900510" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Dump Artefact In CrashDumps Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+config\\+systemprofile\\+AppData\\+Local\\+CrashDumps\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)lsass\.exe\.</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dmp)$</field>
    </rule>
    <rule id="900511" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>WerFault LSASS Process Memory Dump</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+WerFault\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass|lsass\.exe</field>
    </rule>
    <rule id="900512" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>Adwind RAT / JRAT File Artifact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+Oracle\\+bin\\+java</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.exe</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Retrive</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.vbs</field>
    </rule>
    <rule id="900513" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1195</id>
            <id>attack.t1195.001</id>
        </mitre>
        <description>Octopus Scanner Malware</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Cache134\.dat|\\+AppData\\+Local\\+Microsoft\\+ExplorerSync\.db)$</field>
    </rule>
    <rule id="900514" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
            <id>cve.2022.30190</id>
        </mitre>
        <description>File Creation In Suspicious Directory By Msdt.EXE</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Desktop\\+|\\+Start\ Menu\\+Programs\\+Startup\\+|C:\\+PerfLogs\\+|C:\\+ProgramData\\+|C:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="900515" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious DotNET CLR Usage Log Artifact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+UsageLogs\\+cmstp\.exe\.log|\\+UsageLogs\\+cscript\.exe\.log|\\+UsageLogs\\+mshta\.exe\.log|\\+UsageLogs\\+msxsl\.exe\.log|\\+UsageLogs\\+regsvr32\.exe\.log|\\+UsageLogs\\+rundll32\.exe\.log|\\+UsageLogs\\+svchost\.exe\.log|\\+UsageLogs\\+wscript\.exe\.log|\\+UsageLogs\\+wmic\.exe\.log)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+MsiExec\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\ \-Embedding</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Temp</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)zzzzInvokeManagedCustomActionOutOfProc</field>
    </rule>
    <rule id="900516" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious File Creation In Uncommon AppData Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.cmd|\.cpl|\.dll|\.exe|\.hta|\.iso|\.lnk|\.msi|\.ps1|\.psm1|\.scr|\.vbe|\.vbs)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+LocalLow\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+</field>
    </rule>
    <rule id="900517" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>SCR File Write Event</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+\$WINDOWS\.\~BT\\+NewOS\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+WUDownloadCache\\+</field>
    </rule>
    <rule id="900518" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Notepad++ Plugins</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Notepad\+\+\\+plugins\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Notepad\+\+\\+updater\\+gup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+target\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:Installer\.x64\.exe)$</field>
    </rule>
    <rule id="900519" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Created</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:ntds\.dit)$</field>
    </rule>
    <rule id="900520" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+w3wp\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="900521" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+apache|\\+tomcat|\\+AppData\\+|\\+Temp\\+|\\+Public\\+|\\+PerfLogs\\+</field>
    </rule>
    <rule id="900522" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe|\\+wsl\.exe|\\+wt\.exe)$</field>
    </rule>
    <rule id="900523" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS.DIT Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+ntds\.dit)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+Temp\\+|\\+Public\\+|\\+PerfLogs\\+</field>
    </rule>
    <rule id="900524" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>NTDS Exfiltration Filename Patterns</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+All\.cab|\.ntds\.cleartext)$</field>
    </rule>
    <rule id="900525" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+Startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.wll)$</field>
    </rule>
    <rule id="900526" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Excel\\+Startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xll)$</field>
    </rule>
    <rule id="900527" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)Microsoft\\+Excel\\+XLSTART\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xlam)$</field>
    </rule>
    <rule id="900528" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Add-In</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Addins\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xlam|\.xla|\.ppam)$</field>
    </rule>
    <rule id="900529" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Office Macro File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.docm|\.dotm|\.xlsm|\.xltm|\.potm|\.pptm)$</field>
    </rule>
    <rule id="900530" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>OneNote Attachment File Dropped In Suspicious Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|:\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.one|\.onepkg)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ONENOTE\.EXE)$</field>
    </rule>
    <rule id="900531" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious File Created Via OneNote Application</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe|\\+onenotem\.exe|\\+onenoteim\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+OneNote\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.chm|\.cmd|\.dll|\.exe|\.hta|\.htm|\.html|\.js|\.lnk|\.ps1|\.vbe|\.vbs|\.wsf)$</field>
    </rule>
    <rule id="900532" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>New Outlook Macro Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Outlook\\+VbaProject\.OTM)$</field>
    </rule>
    <rule id="900533" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.003</id>
        </mitre>
        <description>Potential Persistence Via Outlook Form</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+FORMS\\+IPM|\\+Local\ Settings\\+Application\ Data\\+Microsoft\\+Forms</field>
    </rule>
    <rule id="900534" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Suspicious Outlook Macro Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Outlook\\+VbaProject\.OTM)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
    </rule>
    <rule id="900535" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Publisher Attachment File Dropped In Suspicious Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|C:\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.pub)$</field>
    </rule>
    <rule id="900536" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Startup Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.doc|\.docm|\.docx|\.dot|\.dotm|\.rtf)$</field>
    </rule>
    <rule id="900537" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Potential Persistence Via Microsoft Office Startup Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Excel\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.xls|\.xlsm|\.xlsx|\.xlt|\.xltm)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WINWORD\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+EXCEL\.exe)$</field>
    </rule>
    <rule id="900538" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1204.002</id>
            <id>attack.execution</id>
        </mitre>
        <description>File With Uncommon Extension Created By An Office Application</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+msaccess\.exe|\\+mspub\.exe|\\+powerpnt\.exe|\\+visio\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.cmd|\.com|\.dll|\.exe|\.hta|\.ocx|\.proj|\.ps1|\.scf|\.scr|\.sys|\.vbe|\.vbs|\.wsf|\.wsh)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+assembly\\+tmp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900539" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1204.002</id>
            <id>attack.execution</id>
        </mitre>
        <description>File With Uncommon Extension Created By An Office Application</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+msaccess\.exe|\\+mspub\.exe|\\+powerpnt\.exe|\\+visio\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.cmd|\.com|\.dll|\.exe|\.hta|\.ocx|\.proj|\.ps1|\.scf|\.scr|\.sys|\.vbe|\.vbs|\.wsf|\.wsh)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+WebServiceCache\\+AllUsers</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+webexdelta\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
    </rule>
    <rule id="900540" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Uncommon File Created In Office Startup Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.docb)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.docm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.docx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dotm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.mdb)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.mdw)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.pdf)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.wll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.wwl)$</field>
    </rule>
    <rule id="900541" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Uncommon File Created In Office Startup Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Word\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+STARTUP</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Excel\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Office</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Program\ Files</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+XLSTART</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xls)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlsm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlsx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlt)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xltm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.xlw)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
    </rule>
    <rule id="900542" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PCRE.NET Package Temp Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+ba9ea7344a4a5f591d6e5dc32a13494b\\+</field>
    </rule>
    <rule id="900543" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious File Created In PerfLogs</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+PerfLogs\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.7z|\.bat|\.bin|\.chm|\.dll|\.exe|\.hta|\.lnk|\.ps1|\.psm1|\.py|\.scr|\.sys|\.vbe|\.vbs|\.zip)$</field>
    </rule>
    <rule id="900544" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Binary Or Script Dropper Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.chm|\.cmd|\.com|\.dll|\.exe|\.hta|\.jar|\.js|\.ocx|\.scr|\.sys|\.vbe|\.vbs|\.wsf)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
    </rule>
    <rule id="900545" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>PowerShell Script Dropped Via PowerShell.EXE</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.ps1)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)__PSScriptPolicyTest_</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
    </rule>
    <rule id="900546" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - FileCreation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Add\-ConstrainedDelegationBackdoor\.ps1|\\+Add\-Exfiltration\.ps1|\\+Add\-Persistence\.ps1|\\+Add\-RegBackdoor\.ps1|\\+Add\-RemoteRegBackdoor\.ps1|\\+Add\-ScrnSaveBackdoor\.ps1|\\+ADRecon\.ps1|\\+AzureADRecon\.ps1|\\+Check\-VM\.ps1|\\+ConvertTo\-ROT13\.ps1|\\+Copy\-VSS\.ps1|\\+Create\-MultipleSessions\.ps1|\\+DNS_TXT_Pwnage\.ps1|\\+dnscat2\.ps1|\\+Do\-Exfiltration\.ps1|\\+DomainPasswordSpray\.ps1|\\+Download_Execute\.ps1|\\+Download\-Execute\-PS\.ps1|\\+Enable\-DuplicateToken\.ps1|\\+Enabled\-DuplicateToken\.ps1|\\+Execute\-Command\-MSSQL\.ps1|\\+Execute\-DNSTXT\-Code\.ps1|\\+Execute\-OnTime\.ps1|\\+ExetoText\.ps1|\\+Exploit\-Jboss\.ps1|\\+Find\-AVSignature\.ps1|\\+Find\-Fruit\.ps1|\\+Find\-GPOLocation\.ps1|\\+Find\-TrustedDocuments\.ps1|\\+FireBuster\.ps1|\\+FireListener\.ps1|\\+Get\-ApplicationHost\.ps1|\\+Get\-ChromeDump\.ps1|\\+Get\-ClipboardContents\.ps1|\\+Get\-ComputerDetail\.ps1|\\+Get\-FoxDump\.ps1|\\+Get\-GPPAutologon\.ps1|\\+Get\-GPPPassword\.ps1|\\+Get\-IndexedItem\.ps1|\\+Get\-Keystrokes\.ps1|\\+Get\-LSASecret\.ps1|\\+Get\-MicrophoneAudio\.ps1|\\+Get\-PassHashes\.ps1|\\+Get\-PassHints\.ps1|\\+Get\-RegAlwaysInstallElevated\.ps1|\\+Get\-RegAutoLogon\.ps1|\\+Get\-RickAstley\.ps1|\\+Get\-Screenshot\.ps1|\\+Get\-SecurityPackages\.ps1|\\+Get\-ServiceFilePermission\.ps1|\\+Get\-ServicePermission\.ps1|\\+Get\-ServiceUnquoted\.ps1|\\+Get\-SiteListPassword\.ps1|\\+Get\-System\.ps1|\\+Get\-TimedScreenshot\.ps1|\\+Get\-UnattendedInstallFile\.ps1|\\+Get\-Unconstrained\.ps1|\\+Get\-USBKeystrokes\.ps1|\\+Get\-VaultCredential\.ps1|\\+Get\-VulnAutoRun\.ps1|\\+Get\-VulnSchTask\.ps1|\\+Get\-WebConfig\.ps1|\\+Get\-WebCredentials\.ps1|\\+Get\-WLAN\-Keys\.ps1|\\+Gupt\-Backdoor\.ps1|\\+HTTP\-Backdoor\.ps1|\\+HTTP\-Login\.ps1|\\+Install\-ServiceBinary\.ps1|\\+Install\-SSP\.ps1|\\+Invoke\-ACLScanner\.ps1|\\+Invoke\-ADSBackdoor\.ps1|\\+Invoke\-AmsiBypass\.ps1|\\+Invoke\-ARPScan\.ps1|\\+Invoke\-BackdoorLNK\.ps1|\\+Invoke\-BadPotato\.ps1|\\+Invoke\-BetterSafetyKatz\.ps1|\\+Invoke\-BruteForce\.ps1|\\+Invoke\-BypassUAC\.ps1|\\+Invoke\-Carbuncle\.ps1|\\+Invoke\-Certify\.ps1|\\+Invoke\-ConPtyShell\.ps1|\\+Invoke\-CredentialInjection\.ps1|\\+Invoke\-CredentialsPhish\.ps1|\\+Invoke\-DAFT\.ps1|\\+Invoke\-DCSync\.ps1|\\+Invoke\-Decode\.ps1|\\+Invoke\-DinvokeKatz\.ps1|\\+Invoke\-DllInjection\.ps1|\\+Invoke\-DNSUpdate\.ps1|\\+Invoke\-DowngradeAccount\.ps1|\\+Invoke\-EgressCheck\.ps1|\\+Invoke\-Encode\.ps1|\\+Invoke\-EventViewer\.ps1|\\+Invoke\-Eyewitness\.ps1|\\+Invoke\-FakeLogonScreen\.ps1|\\+Invoke\-Farmer\.ps1|\\+Invoke\-Get\-RBCD\-Threaded\.ps1|\\+Invoke\-Gopher\.ps1|\\+Invoke\-Grouper2\.ps1|\\+Invoke\-Grouper3\.ps1|\\+Invoke\-HandleKatz\.ps1|\\+Invoke\-Interceptor\.ps1|\\+Invoke\-Internalmonologue\.ps1|\\+Invoke\-Inveigh\.ps1|\\+Invoke\-InveighRelay\.ps1|\\+Invoke\-JSRatRegsvr\.ps1|\\+Invoke\-JSRatRundll\.ps1|\\+Invoke\-KrbRelay\.ps1|\\+Invoke\-KrbRelayUp\.ps1|\\+Invoke\-LdapSignCheck\.ps1|\\+Invoke\-Lockless\.ps1|\\+Invoke\-MalSCCM\.ps1|\\+Invoke\-Mimikatz\.ps1|\\+Invoke\-MimikatzWDigestDowngrade\.ps1|\\+Invoke\-Mimikittenz\.ps1|\\+Invoke\-MITM6\.ps1|\\+Invoke\-NanoDump\.ps1|\\+Invoke\-NetRipper\.ps1|\\+Invoke\-NetworkRelay\.ps1|\\+Invoke\-NinjaCopy\.ps1|\\+Invoke\-OxidResolver\.ps1|\\+Invoke\-P0wnedshell\.ps1|\\+Invoke\-P0wnedshellx86\.ps1|\\+Invoke\-Paranoia\.ps1|\\+Invoke\-PortScan\.ps1|\\+Invoke\-PoshRatHttp\.ps1|\\+Invoke\-PoshRatHttps\.ps1|\\+Invoke\-PostExfil\.ps1|\\+Invoke\-PowerDump\.ps1|\\+Invoke\-PowerShellIcmp\.ps1|\\+Invoke\-PowerShellTCP\.ps1|\\+Invoke\-PowerShellTcpOneLine\.ps1|\\+Invoke\-PowerShellTcpOneLineBind\.ps1|\\+Invoke\-PowerShellUdp\.ps1|\\+Invoke\-PowerShellUdpOneLine\.ps1|\\+Invoke\-PowerShellWMI\.ps1|\\+Invoke\-PowerThIEf\.ps1|\\+Invoke\-PPLDump\.ps1|\\+Invoke\-Prasadhak\.ps1|\\+Invoke\-PsExec\.ps1|\\+Invoke\-PsGcat\.ps1|\\+Invoke\-PsGcatAgent\.ps1|\\+Invoke\-PSInject\.ps1|\\+Invoke\-PsUaCme\.ps1|\\+Invoke\-ReflectivePEInjection\.ps1|\\+Invoke\-ReverseDNSLookup\.ps1|\\+Invoke\-Rubeus\.ps1|\\+Invoke\-RunAs\.ps1|\\+Invoke\-SafetyKatz\.ps1|\\+Invoke\-SauronEye\.ps1|\\+Invoke\-SCShell\.ps1|\\+Invoke\-Seatbelt\.ps1|\\+Invoke\-ServiceAbuse\.ps1|\\+Invoke\-SessionGopher\.ps1|\\+Invoke\-ShellCode\.ps1|\\+Invoke\-SMBScanner\.ps1|\\+Invoke\-Snaffler\.ps1|\\+Invoke\-Spoolsample\.ps1|\\+Invoke\-SSHCommand\.ps1|\\+Invoke\-SSIDExfil\.ps1|\\+Invoke\-StandIn\.ps1|\\+Invoke\-StickyNotesExtract\.ps1|\\+Invoke\-Tater\.ps1|\\+Invoke\-Thunderfox\.ps1|\\+Invoke\-ThunderStruck\.ps1|\\+Invoke\-TokenManipulation\.ps1|\\+Invoke\-Tokenvator\.ps1|\\+Invoke\-TotalExec\.ps1|\\+Invoke\-UrbanBishop\.ps1|\\+Invoke\-UserHunter\.ps1|\\+Invoke\-VoiceTroll\.ps1|\\+Invoke\-Whisker\.ps1|\\+Invoke\-WinEnum\.ps1|\\+Invoke\-winPEAS\.ps1|\\+Invoke\-WireTap\.ps1|\\+Invoke\-WmiCommand\.ps1|\\+Invoke\-WScriptBypassUAC\.ps1|\\+Invoke\-Zerologon\.ps1|\\+Keylogger\.ps1|\\+MailRaider\.ps1|\\+New\-HoneyHash\.ps1|\\+OfficeMemScraper\.ps1|\\+Offline_Winpwn\.ps1|\\+Out\-CHM\.ps1|\\+Out\-DnsTxt\.ps1|\\+Out\-Excel\.ps1|\\+Out\-HTA\.ps1|\\+Out\-Java\.ps1|\\+Out\-JS\.ps1|\\+Out\-Minidump\.ps1|\\+Out\-RundllCommand\.ps1|\\+Out\-SCF\.ps1|\\+Out\-SCT\.ps1|\\+Out\-Shortcut\.ps1|\\+Out\-WebQuery\.ps1|\\+Out\-Word\.ps1|\\+Parse_Keys\.ps1|\\+Port\-Scan\.ps1|\\+PowerBreach\.ps1|\\+powercat\.ps1|\\+Powermad\.ps1|\\+PowerRunAsSystem\.psm1|\\+PowerSharpPack\.ps1|\\+PowerUp\.ps1|\\+PowerUpSQL\.ps1|\\+PowerView\.ps1|\\+PSAsyncShell\.ps1|\\+RemoteHashRetrieval\.ps1|\\+Remove\-Persistence\.ps1|\\+Remove\-PoshRat\.ps1|\\+Remove\-Update\.ps1|\\+Run\-EXEonRemote\.ps1|\\+Schtasks\-Backdoor\.ps1|\\+Set\-DCShadowPermissions\.ps1|\\+Set\-MacAttribute\.ps1|\\+Set\-RemotePSRemoting\.ps1|\\+Set\-RemoteWMI\.ps1|\\+Set\-Wallpaper\.ps1|\\+Show\-TargetScreen\.ps1|\\+Speak\.ps1|\\+Start\-CaptureServer\.ps1|\\+Start\-WebcamRecorder\.ps1|\\+StringToBase64\.ps1|\\+TexttoExe\.ps1|\\+VolumeShadowCopyTools\.ps1|\\+WinPwn\.ps1|\\+WSUSpendu\.ps1)$</field>
    </rule>
    <rule id="900547" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - FileCreation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)Invoke\-Sharp</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.ps1)$</field>
    </rule>
    <rule id="900548" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>PowerShell Module File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+WindowsPowerShell\\+Modules\\+|\\+PowerShell\\+7\\+Modules\\+</field>
    </rule>
    <rule id="900549" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Suspicious PowerShell Module File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+WindowsPowerShell\\+Modules\\+.+\\+\.ps|\\+WindowsPowerShell\\+Modules\\+.+\\+\.dll)$</field>
    </rule>
    <rule id="900550" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>PowerShell Module File Created By Non-PowerShell Process</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+WindowsPowerShell\\+Modules\\+|\\+PowerShell\\+7\\+Modules\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+poqexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
    </rule>
    <rule id="900551" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Potential Startup Shortcut Persistence Via PowerShell.EXE</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+start\ menu\\+programs\\+startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.lnk)$</field>
    </rule>
    <rule id="900552" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>PSScriptPolicyTest Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)__PSScriptPolicyTest_</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+dsac\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+ServerManager\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
    </rule>
    <rule id="900553" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_config_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>Rclone Config File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+\.config\\+rclone\\+</field>
    </rule>
    <rule id="900554" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>RDP File Creation From Suspicious Application</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+CCleaner\ Browser\\+Application\\+CCleanerBrowser\.exe|\\+chromium\.exe|\\+firefox\.exe|\\+Google\\+Chrome\\+Application\\+chrome\.exe|\\+iexplore\.exe|\\+microsoftedge\.exe|\\+msedge\.exe|\\+Opera\.exe|\\+Vivaldi\.exe|\\+Whale\.exe|\\+Outlook\.exe|\\+RuntimeBroker\.exe|\\+Thunderbird\.exe|\\+Discord\.exe|\\+Keybase\.exe|\\+msteams\.exe|\\+Slack\.exe|\\+teams\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.rdp</field>
    </rule>
    <rule id="900555" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Winnti Dropper Activity</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+gthread\-3\.6\.dll|\\+sigcmm\-2\.4\.dll|\\+Windows\\+Temp\\+tmp\.bat)$</field>
    </rule>
    <rule id="900556" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remcom_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>RemCom Service File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+RemComSvc\.exe)$</field>
    </rule>
    <rule id="900557" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>ScreenConnect Temporary Installation Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Bin\\+ScreenConnect\.</field>
    </rule>
    <rule id="900558" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Temporary File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ScreenConnect\.WindowsClient\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Documents\\+ConnectWiseControl\\+Temp\\+</field>
    </rule>
    <rule id="900559" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Potential RipZip Attack on Startup Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.lnk\.\{0AFACED1\-E828\-11D1\-9187\-B532F1E9575D\}</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
    </rule>
    <rule id="900560" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Potential SAM Database Dump</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Temp\\+sam|\\+sam\.sav|\\+Intel\\+sam|\\+sam\.hive|\\+Perflogs\\+sam|\\+ProgramData\\+sam|\\+Users\\+Public\\+sam|\\+AppData\\+Local\\+sam|\\+AppData\\+Roaming\\+sam|_ShadowSteal\.zip|\\+Documents\\+SAM\.export|:\\+sam)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+hive_sam_|\\+sam\.save|\\+sam\.export|\\+\~reg_sam\.save|\\+sam_backup|\\+sam\.bck|\\+sam\.backup</field>
    </rule>
    <rule id="900561" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Self Extraction Directive File Created In Potentially Suspicious Location</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i):\\+ProgramData\\+|:\\+Temp\\+|:\\+Windows\\+System32\\+Tasks\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sed)$</field>
    </rule>
    <rule id="900562" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Shell/Scripting Application File Write to Suspicious Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+msbuild\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+sh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+PerfLogs\\+|C:\\+Users\\+Public\\+)</field>
    </rule>
    <rule id="900563" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Windows Shell/Scripting Application File Write to Suspicious Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe|\\+forfiles\.exe|\\+mshta\.exe|\\+schtasks\.exe|\\+scriptrunner\.exe|\\+wmic\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+PerfLogs\\+|C:\\+Users\\+Public\\+|C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900564" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Windows Binaries Write Suspicious Extensions</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+smss\.exe|\\+RuntimeBroker\.exe|\\+sihost\.exe|\\+lsass\.exe|\\+csrss\.exe|\\+winlogon\.exe|\\+wininit\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.vbe|\.txt|\.vbs|\.exe|\.ps1|\.hta|\.iso|\.dll)$</field>
    </rule>
    <rule id="900565" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Windows Binaries Write Suspicious Extensions</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+svchost\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.bat|\.vbe|\.vbs|\.ps1|\.hta|\.iso)$</field>
    </rule>
    <rule id="900566" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Startup Folder File Write</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+StartUp</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wuauclt\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WINDOWS\.\~BT\\+NewOS\\+)</field>
    </rule>
    <rule id="900567" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Suspicious Creation with Colorcpl</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+colorcpl\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.icm)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.gmmp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.cdmp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.camp)$</field>
    </rule>
    <rule id="900568" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1055</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Created Files by Microsoft Sync Center</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mobsync\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe)$</field>
    </rule>
    <rule id="900569" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1036.005</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Files in Default GPO Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Policies\\+\{31B2F340\-016D\-11D2\-945F\-00C04FB984F9\}\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe)$</field>
    </rule>
    <rule id="900570" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Desktopimgdownldr Target File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Personalization\\+LockScreenImage\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)C:\\+Windows\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\.jpg</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\.jpeg</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\.png</field>
    </rule>
    <rule id="900571" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.009</id>
        </mitre>
        <description>Suspicious desktop.ini Action</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+desktop\.ini)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+JetBrains\\+Toolbox\\+bin\\+7z\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+JetBrains\\+apps\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WINDOWS\.\~BT\\+NewOS\\+)</field>
    </rule>
    <rule id="900572" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Creation TXT File in User Desktop</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Desktop\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.txt)$</field>
    </rule>
    <rule id="900573" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
        </mitre>
        <description>Creation of a Diagcab</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.diagcab)$</field>
    </rule>
    <rule id="900574" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious Double Extension Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.exe|\.iso|\.rar|\.zip)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpg\.|\.pdf\.|\.ppt\.|\.pptx\.|\.xls\.|\.xlsx\.</field>
    </rule>
    <rule id="900575" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious Double Extension Files</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.rar\.exe|\.zip\.exe)$</field>
    </rule>
    <rule id="900576" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1190</id>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Suspicious MSExchangeMailboxReplication ASPX Write</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MSExchangeMailboxReplication\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.aspx|\.asp)$</field>
    </rule>
    <rule id="900577" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Suspicious Executable File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?::\\+\$Recycle\.Bin\.exe|:\\+Documents\ and\ Settings\.exe|:\\+MSOCache\.exe|:\\+PerfLogs\.exe|:\\+Recovery\.exe|\.bat\.exe|\.sys\.exe)$</field>
    </rule>
    <rule id="900578" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious Get-Variable.exe Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:Local\\+Microsoft\\+WindowsApps\\+Get\-Variable\.exe)$</field>
    </rule>
    <rule id="900579" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)::\$index_allocation</field>
    </rule>
    <rule id="900580" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Legitimate Application Dropped Archive</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winword\.exe|\\+excel\.exe|\\+powerpnt\.exe|\\+msaccess\.exe|\\+mspub\.exe|\\+eqnedt32\.exe|\\+visio\.exe|\\+wordpad\.exe|\\+wordview\.exe|\\+certutil\.exe|\\+certoc\.exe|\\+CertReq\.exe|\\+Desktopimgdownldr\.exe|\\+esentutl\.exe|\\+finger\.exe|\\+notepad\.exe|\\+AcroRd32\.exe|\\+RdrCEF\.exe|\\+mshta\.exe|\\+hh\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.zip|\.rar|\.7z|\.diagcab|\.appx)$</field>
    </rule>
    <rule id="900581" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Legitimate Application Dropped Executable</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+eqnedt32\.exe|\\+wordpad\.exe|\\+wordview\.exe|\\+certutil\.exe|\\+certoc\.exe|\\+CertReq\.exe|\\+Desktopimgdownldr\.exe|\\+esentutl\.exe|\\+mshta\.exe|\\+AcroRd32\.exe|\\+RdrCEF\.exe|\\+hh\.exe|\\+finger\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.exe|\.dll|\.ocx)$</field>
    </rule>
    <rule id="900582" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Legitimate Application Dropped Script</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+eqnedt32\.exe|\\+wordpad\.exe|\\+wordview\.exe|\\+certutil\.exe|\\+certoc\.exe|\\+CertReq\.exe|\\+Desktopimgdownldr\.exe|\\+esentutl\.exe|\\+mshta\.exe|\\+AcroRd32\.exe|\\+RdrCEF\.exe|\\+hh\.exe|\\+finger\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.ps1|\.bat|\.vbs|\.scf|\.wsf|\.wsh)$</field>
    </rule>
    <rule id="900583" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious LNK Double Extension File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.lnk)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpg\.|\.pdf\.|\.ppt\.|\.pptx\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Windows\\+Recent\\+</field>
    </rule>
    <rule id="900584" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious LNK Double Extension File Created</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.lnk)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpg\.|\.pdf\.|\.ppt\.|\.pptx\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powerpnt\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Office\\+Recent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Excel</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powerpnt\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+PowerPoint</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Word</field>
    </rule>
    <rule id="900585" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Suspicious PFX File Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.pfx)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Templates\\+Windows\\+Windows_TemporaryKey\.pfx</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+CMake\\+</field>
    </rule>
    <rule id="900586" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.013</id>
        </mitre>
        <description>PowerShell Profile Modification</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.PowerShell_profile\.ps1|\\+PowerShell\\+profile\.ps1|\\+Program\ Files\\+PowerShell\\+7\-preview\\+profile\.ps1|\\+Program\ Files\\+PowerShell\\+7\\+profile\.ps1|\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+profile\.ps1|\\+WindowsPowerShell\\+profile\.ps1)$</field>
    </rule>
    <rule id="900587" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1562.001</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PROCEXP152.sys File Created In TMP</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:PROCEXP152\.sys)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procexp64\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procexp\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procmon64\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+procmon\.exe</field>
    </rule>
    <rule id="900588" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious File Creation Activity From Fake Recycle.Bin Folder</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)RECYCLERS\.BIN\\+|RECYCLER\.BIN\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)RECYCLERS\.BIN\\+|RECYCLER\.BIN\\+</field>
    </rule>
    <rule id="900589" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Drop Binaries Into Spool Drivers Color Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+spool\\+drivers\\+color\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll|\.exe|\.sys)$</field>
    </rule>
    <rule id="900590" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Suspicious Startup Folder Persistence</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.vbs|\.vbe|\.bat|\.ps1|\.hta|\.dll|\.jar|\.msi|\.scr|\.cmd)$</field>
    </rule>
    <rule id="900591" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Interactive PowerShell as SYSTEM</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+config\\+systemprofile\\+AppData\\+Roaming\\+Microsoft\\+Windows\\+PowerShell\\+PSReadLine\\+ConsoleHost_history\.txt|C:\\+Windows\\+System32\\+config\\+systemprofile\\+AppData\\+Local\\+Microsoft\\+Windows\\+PowerShell\\+StartupProfileData\-Interactive)$</field>
    </rule>
    <rule id="900592" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.execution</id>
            <id>attack.t1053</id>
        </mitre>
        <description>Suspicious Scheduled Task Write to System32 Tasks</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+System32\\+Tasks</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|C:\\+PerfLogs|\\+Windows\\+System32\\+config\\+systemprofile</field>
    </rule>
    <rule id="900593" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>TeamViewer Remote Session</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+TeamViewer\\+RemotePrinting\\+tvprint\.db|\\+TeamViewer\\+TVNetwork\.log)$</field>
    </rule>
    <rule id="900594" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>TeamViewer Remote Session</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+TeamViewer</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)_Logfile\.log</field>
    </rule>
    <rule id="900595" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.013</id>
        </mitre>
        <description>VsCode Powershell Profile Modification</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.VSCode_profile\.ps1)$</field>
    </rule>
    <rule id="900596" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.015</id>
        </mitre>
        <description>Windows Terminal Profile Settings Modification By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Packages\\+Microsoft\.WindowsTerminal_8wekyb3d8bbwe\\+LocalState\\+settings\.json)$</field>
    </rule>
    <rule id="900597" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>WinSxS Executable File Creation By Non-System Process</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Systems32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900598" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>LiveKD Kernel Memory Dump File Created</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+livekd\.dmp)$</field>
    </rule>
    <rule id="900599" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>LiveKD Driver Creation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+drivers\\+LiveKdD\.SYS)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+livekd\.exe|\\+livek64\.exe)$</field>
    </rule>
    <rule id="900600" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>LiveKD Driver Creation By Uncommon Process</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+drivers\\+LiveKdD\.SYS)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livek64\.exe)$</field>
    </rule>
    <rule id="900601" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Process Explorer Driver Creation By Non-Sysinternals Binary</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+PROCEXP</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sys)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
    </rule>
    <rule id="900602" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Process Monitor Driver Creation By Non-Sysinternals Binary</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+procmon</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sys)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
    </rule>
    <rule id="900603" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PsExec Service File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+PSEXESVC\.exe)$</field>
    </rule>
    <rule id="900604" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1136.002</id>
            <id>attack.t1543.003</id>
            <id>attack.t1570</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PSEXEC Remote Execution File Artefact</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+PSEXEC\-)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.key)$</field>
    </rule>
    <rule id="900605" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Potential Privilege Escalation Attempt Via .Exe.Local Technique</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+logonUI\.exe\.local|C:\\+Windows\\+System32\\+werFault\.exe\.local|C:\\+Windows\\+System32\\+consent\.exe\.local|C:\\+Windows\\+System32\\+narrator\.exe\.local|C:\\+Windows\\+System32\\+wermgr\.exe\.local)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+comctl32\.dll)$</field>
    </rule>
    <rule id="900606" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Process Memory Dump Creation Via Taskmgr.EXE</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?::\\+Windows\\+system32\\+taskmgr\.exe|:\\+Windows\\+SysWOW64\\+taskmgr\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+lsass</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.DMP</field>
    </rule>
    <rule id="900607" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Hijack Legit RDP Session to Move Laterally</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+</field>
    </rule>
    <rule id="900608" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Consent and Comctl32 - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+consent\.exe\.@)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+comctl32\.dll)$</field>
    </rule>
    <rule id="900609" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using .NET Code Profiler on MMC</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+pe386\.dll)$</field>
    </rule>
    <rule id="900610" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>UAC Bypass Using EventVwr</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Event\ Viewer\\+RecentViews|\\+Microsoft\\+EventV\~1\\+RecentViews)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="900611" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IDiagnostic Profile - File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DllHost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900612" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IEInstal - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+IEInstal\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:consent\.exe)$</field>
    </rule>
    <rule id="900613" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using MSConfig Token Modification - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+pkgmgr\.exe)$</field>
    </rule>
    <rule id="900614" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using NTFS Reparse Point - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+api\-ms\-win\-core\-kernel32\-legacy\-l1\.DLL)$</field>
    </rule>
    <rule id="900615" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Abusing Winsat Path Parsing - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+system32\\+winsat\.exe|\\+AppData\\+Local\\+Temp\\+system32\\+winmm\.dll)$</field>
    </rule>
    <rule id="900616" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+OskSupport\.dll)$</field>
    </rule>
    <rule id="900617" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+DllHost\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Media\ Player\\+osk\.exe)$</field>
    </rule>
    <rule id="900618" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>VHD Image Download Via Browser</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+firefox\.exe|\\+iexplore\.exe|\\+maxthon\.exe|\\+MicrosoftEdge\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+opera\.exe|\\+safari\.exe|\\+seamonkey\.exe|\\+vivaldi\.exe|\\+whale\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.vhd</field>
    </rule>
    <rule id="900619" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Visual Studio Code Tunnel Remote File Creation</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+server\\+node\.exe)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+\.vscode\-server\\+data\\+User\\+History\\+</field>
    </rule>
    <rule id="900620" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Renamed VsCode Code Tunnel Execution - File Indicator</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+code_tunnel\.json)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\-tunnel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\.exe)$</field>
    </rule>
    <rule id="900621" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Potential Webshell Creation On Static Website</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+inetpub\\+wwwroot\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.ashx|\.asp|\.ph|\.soap</field>
    </rule>
    <rule id="900622" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Potential Webshell Creation On Static Website</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+www\\+|\\+htdocs\\+|\\+html\\+</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.ph</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+xampp</field>
    </rule>
    <rule id="900623" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.001</id>
        </mitre>
        <description>Creation of an WerFault.exe in Unusual Folder</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+WerFault\.exe|\\+wer\.dll)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+System32\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)\\+WinSxS\\+</field>
    </rule>
    <rule id="900624" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:WsmPty\.xsl|WsmTxt\.xsl)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="900625" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Wmiexec Default Output File</description>
        <options>no_full_log</options>
        <group>file_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+Windows\\+__1\d{9}\.\d{1,7}$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)C:\\+__1\d{9}\.\d{1,7}$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)D:\\+__1\d{9}\.\d{1,7}$</field>
    </rule>
    <rule id="900626" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Wmiprvse Wbemcomn DLL Hijack - File</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\\+wbem\\+wbemcomn\.dll)$</field>
    </rule>
    <rule id="900627" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1546.003</id>
            <id>attack.persistence</id>
        </mitre>
        <description>WMI Persistence - Script Event Consumer File Write</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+wbem\\+scrcons\.exe)$</field>
    </rule>
    <rule id="900628" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1542.001</id>
        </mitre>
        <description>UEFI Persistence Via Wpbbin - FileCreation</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wpbbin\.exe)$</field>
    </rule>
    <rule id="900629" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Writing Local Admin Share</description>
        <options>no_full_log</options>
        <group>windows,file_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+127\.0\.0</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\\+ADMIN\$\\+</field>
    </rule>
    <rule id="900630" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Self Extraction Directive File Created</description>
        <options>no_full_log</options>
        <group>windows,file_executable_detected,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)(?:\.sed)$</field>
    </rule>
    <rule id="900631" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Appended Extension</description>
        <options>no_full_log</options>
        <group>windows,file_rename,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.doc|\.docx|\.jpeg|\.jpg|\.lnk|\.pdf|\.png|\.pst|\.rtf|\.xls|\.xlsx)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpeg\.|\.jpg\.|\.lnk\.|\.pdf\.|\.png\.|\.pst\.|\.rtf\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.backup)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.bak)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.old)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.orig)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.temp)$</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
    </rule>
    <rule id="900632" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Appended Extension</description>
        <options>no_full_log</options>
        <group>windows,file_rename,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\.doc|\.docx|\.jpeg|\.jpg|\.lnk|\.pdf|\.png|\.pst|\.rtf|\.xls|\.xlsx)</field>
        <field name="win.eventdata.targetFilename" negate="no" type="pcre2">(?i)\.doc\.|\.docx\.|\.jpeg\.|\.jpg\.|\.lnk\.|\.pdf\.|\.png\.|\.pst\.|\.rtf\.|\.xls\.|\.xlsx\.</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Anaconda3\\+</field>
        <field name="win.eventdata.targetFilename" negate="yes" type="pcre2">(?i)(?:\.c\~)$</field>
    </rule>
    <rule id="900633" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.003</id>
        </mitre>
        <description>DLL Loaded From Suspicious Location Via Cmspt.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+PerfLogs\\+|\\+ProgramData\\+|\\+Users\\+|\\+Windows\\+Temp\\+|C:\\+Temp\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\.dll|\.ocx)$</field>
    </rule>
    <rule id="900634" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Amsi.DLL Loaded Via LOLBIN Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+amsi\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ExtExport\.exe|\\+odbcconf\.exe|\\+regsvr32\.exe|\\+rundll32\.exe)$</field>
    </rule>
    <rule id="900635" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Azure Browser SSO Abuse</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+MicrosoftAccountTokenProvider\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+BackgroundTaskHost\.exe)$</field>
    </rule>
    <rule id="900636" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Azure Browser SSO Abuse</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+MicrosoftAccountTokenProvider\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+IDE\\+devenv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+OneDrive\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900637" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Renamed Comsvcs DLL Loaded By Rundll32</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=eed93054cb555f3de70eaa9787f32ebb|IMPHASH=5e0dbdec1fce52daae251a110b4f309d|IMPHASH=eadbccbb324829acb5f2bbe87e5549a8|IMPHASH=407ca0f7b523319d758a40d7c0193699|IMPHASH=281d618f4e6271e527e6386ea6f748de</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+comsvcs\.dll)$</field>
    </rule>
    <rule id="900638" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.collection</id>
            <id>attack.t1056.002</id>
        </mitre>
        <description>CredUI.DLL Loaded By Uncommon Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+credui\.dll|\\+wincredui\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:credui\.dll|wincredui\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+regedit\.exe)$</field>
    </rule>
    <rule id="900639" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.collection</id>
            <id>attack.t1056.002</id>
        </mitre>
        <description>CredUI.DLL Loaded By Uncommon Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+credui\.dll|\\+wincredui\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:credui\.dll|wincredui\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera_autoupdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Teams\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
    </rule>
    <rule id="900640" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbghelp\.dll|\\+dbgcore\.dll)$</field>
        <field name="win.eventdata.signed" negate="no" type="pcre2">(?i)^(?:false)$</field>
    </rule>
    <rule id="900641" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PCRE.NET Package Image Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+ba9ea7344a4a5f591d6e5dc32a13494b\\+</field>
    </rule>
    <rule id="900642" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1486</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Load Of RstrtMgr.DLL By A Suspicious Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RstrtMgr\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RstrtMgr\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="900643" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1486</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Load Of RstrtMgr.DLL By A Suspicious Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RstrtMgr\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RstrtMgr\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="900644" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1486</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Load Of RstrtMgr.DLL By An Uncommon Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RstrtMgr\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RstrtMgr\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$WinREAgent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysNative\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+WUDownloadCache\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+is\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\.tmp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900645" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
            <id>cve.2022.30190</id>
        </mitre>
        <description>Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+sdiageng\.dll)$</field>
    </rule>
    <rule id="900646" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1059.001</id>
            <id>attack.execution</id>
        </mitre>
        <description>PowerShell Core DLL Loaded By Non PowerShell Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:System\.Management\.Automation)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:System\.Management\.Automation\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+System\.Management\.Automation\.dll|\\+System\.Management\.Automation\.ni\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+dsac\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+System32\\+RemoteFXvGPUDisablement\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+runscripthelper\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+ServerManager\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+SyncAppvPublishingServer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+winrshost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+winrshost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mscorsvw\.exe)$</field>
    </rule>
    <rule id="900647" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1059.001</id>
            <id>attack.execution</id>
        </mitre>
        <description>PowerShell Core DLL Loaded By Non PowerShell Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:System\.Management\.Automation)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:System\.Management\.Automation\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+System\.Management\.Automation\.dll|\\+System\.Management\.Automation\.ni\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ SQL\ Server\ Management\ Studio</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ SQL\ Server\ Management\ Studio</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+IDE\\+Ssms\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ SQL\ Server\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ SQL\ Server\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Tools\\+Binn\\+SQLPS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Citrix\\+ConfigSync\\+ConfigSyncRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+chocolatey\\+choco\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900648" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1218</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Time Travel Debugging Utility Usage - Image</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ttdrecord\.dll|\\+ttdwriter\.dll|\\+ttdloader\.dll)$</field>
    </rule>
    <rule id="900649" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Suspicious Volume Shadow Copy Vssapi.dll Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vssapi\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+\{)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Package\ Cache\\+)</field>
    </rule>
    <rule id="900650" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Suspicious Volume Shadow Copy Vsstrace.dll Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vsstrace\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+\{)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900651" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Suspicious Volume Shadow Copy VSS_PS.dll Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vss_ps\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+clussvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dismhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+inetsrv\\+appcmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+inetsrv\\+iissetup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+searchindexer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+srtasks\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+System32\\+SystemPropertiesAdvanced\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+taskhostw\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+tiworker\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vssvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WinREAgent\\+Scratch\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+dismhost\.exe\ \{</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900652" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_sharpevtmute.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SharpEvtMute DLL Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=330768A4F172E10ACB6287B87289D83B</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:330768a4f172e10acb6287b87289d83b)$</field>
    </rule>
    <rule id="900653" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071</id>
        </mitre>
        <description>HackTool - SILENTTRINITY Stager DLL Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)st2stager</field>
    </rule>
    <rule id="900654" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Potential DCOM InternetExplorer.Application DLL Hijack - Image Load</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+Internet\ Explorer\\+iertutil\.dll)$</field>
    </rule>
    <rule id="900655" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Unsigned Image Loaded Into LSASS Process</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.signed" negate="no" type="pcre2">(?i)^(?:false)$</field>
    </rule>
    <rule id="900656" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>DotNET Assembly DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+assembly\\+)</field>
    </rule>
    <rule id="900657" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>CLR DLL Loaded Via Office Applications</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+outlook\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+clr\.dll</field>
    </rule>
    <rule id="900658" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>GAC DLL Loaded Via Office Applications</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+assembly\\+GAC_MSIL)</field>
    </rule>
    <rule id="900659" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dsparse_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Active Directory Parsing DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+dsparse\.dll</field>
    </rule>
    <rule id="900660" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Microsoft Excel Add-In Loaded From Uncommon Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Desktop\\+|\\+Downloads\\+|\\+Perflogs\\+|\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Tasks\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\.xll)$</field>
    </rule>
    <rule id="900661" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_kerberos_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Active Directory Kerberos DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+kerberos\.dll)$</field>
    </rule>
    <rule id="900662" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Microsoft VBA For Outlook Addin Loaded Via Outlook</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+outlvba\.dll)$</field>
    </rule>
    <rule id="900663" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_powershell_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>PowerShell Core DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+outlook\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+System\.Management\.Automation\.Dll|\\+System\.Management\.Automation\.ni\.Dll</field>
    </rule>
    <rule id="900664" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_vbadll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>VBA DLL Loaded Via Office Application</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+mspub\.exe|\\+onenote\.exe|\\+onenoteim\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+VBE7\.DLL|\\+VBEUI\.DLL|\\+VBE7INTL\.DLL)$</field>
    </rule>
    <rule id="900665" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Remote DLL Load Via Rundll32.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:\\+)</field>
    </rule>
    <rule id="900666" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+scrcons\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vbscript\.dll|\\+wbemdisp\.dll|\\+wshom\.ocx|\\+scrrun\.dll)$</field>
    </rule>
    <rule id="900667" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_7za.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential 7za.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+7za\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
    </rule>
    <rule id="900668" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Abusable DLL Potential Sideloading From Suspicious Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+coreclr\.dll|\\+facesdk\.dll|\\+HPCustPartUI\.dll|\\+libcef\.dll|\\+ZIPDLL\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+Temporary\ Internet|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900669" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Abusable DLL Potential Sideloading From Suspicious Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+coreclr\.dll|\\+facesdk\.dll|\\+HPCustPartUI\.dll|\\+libcef\.dll|\\+ZIPDLL\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="900670" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Bitdefender\ Antivirus\ Free\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Bitdefender\ Antivirus\ Free\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Dell\\+SARemediation\\+audit\\+TelemetryUtility\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Dell\\+SARemediation\\+plugin\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Dell\\+SARemediation\\+audit\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Canon\\+MyPrinter\\+)</field>
    </rule>
    <rule id="900671" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+F\-Secure\\+Anti\-Virus\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+F\-Secure\\+Anti\-Virus\\+)</field>
    </rule>
    <rule id="900672" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+F\-Secure\\+Anti\-Virus\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+F\-Secure\\+Anti\-Virus\\+)</field>
    </rule>
    <rule id="900673" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+McAfee\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+McAfee\\+)</field>
    </rule>
    <rule id="900674" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+CyberArk\\+Endpoint\ Privilege\ Manager\\+Agent\\+x32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+CyberArk\\+Endpoint\ Privilege\ Manager\\+Agent\\+x32\\+)</field>
    </rule>
    <rule id="900675" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+wsc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\\+AVAST\ Software\\+Avast\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\ $x86$\\+AVAST\ Software\\+Avast\\+)</field>
    </rule>
    <rule id="900676" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+wsc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+tmdbglog\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\\+Trend\ Micro\\+Titanium\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\ $x86$\\+Trend\ Micro\\+Titanium\\+)</field>
    </rule>
    <rule id="900677" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Antivirus Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+log\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+qrt\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+ashldres\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+lockdown\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vsodscpl\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+vftrace\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+wsc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+tmdbglog\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+DLPPREM32\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\\+ESET)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+program\ Files\ $x86$\\+ESET)</field>
    </rule>
    <rule id="900678" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_appverifui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential appverifUI.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+appverifUI\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+appverif\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+appverif\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900679" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Aruba Network Service Potential DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+arubanetsvc\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wtsapi32\.dll|\\+msvcr100\.dll|\\+msvcp100\.dll|\\+dbghelp\.dll|\\+dbgcore\.dll|\\+wininet\.dll|\\+iphlpapi\.dll|\\+version\.dll|\\+cryptsp\.dll|\\+cryptbase\.dll|\\+wldp\.dll|\\+profapi\.dll|\\+sspicli\.dll|\\+winsta\.dll|\\+dpapi\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900680" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_avkkid.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential AVKkid.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+AVKkid\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+G\ DATA\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+G\ DATA\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AVKKid\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+G\ DATA\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+G\ DATA\\+)</field>
    </rule>
    <rule id="900681" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_du.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential CCleanerDU.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+CCleanerDU\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CCleaner\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CCleaner64\.exe)$</field>
    </rule>
    <rule id="900682" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential CCleanerReactivator.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+CCleanerReactivator\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+CCleaner\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CCleanerReactivator\.exe)$</field>
    </rule>
    <rule id="900683" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Chrome Frame Helper DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+chrome_frame_helper\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+)</field>
    </rule>
    <rule id="900684" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Chrome Frame Helper DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+chrome_frame_helper\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+local\\+Google\\+Chrome\\+Application\\+</field>
    </rule>
    <rule id="900685" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via ClassicExplorer32.dll</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ClassicExplorer32\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Classic\ Shell\\+)</field>
    </rule>
    <rule id="900686" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via comctl32.dll</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+logonUI\.exe\.local\\+|C:\\+Windows\\+System32\\+werFault\.exe\.local\\+|C:\\+Windows\\+System32\\+consent\.exe\.local\\+|C:\\+Windows\\+System32\\+narrator\.exe\.local\\+|C:\\+windows\\+system32\\+wermgr\.exe\.local\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+comctl32\.dll)$</field>
    </rule>
    <rule id="900687" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_coregen.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Potential DLL Sideloading Using Coregen.exe</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+coregen\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Silverlight\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Silverlight\\+)</field>
    </rule>
    <rule id="900688" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>System Control Panel Item Loaded From Uncommon Location</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+hdwwiz\.cpl|\\+appwiz\.cpl)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
    </rule>
    <rule id="900689" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGCORE.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbgcore\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SoftwareDistribution\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SystemTemp\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900690" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGCORE.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbgcore\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Steam\\+bin\\+cef\\+cef\.win7x64\\+dbgcore\.dll)$</field>
    </rule>
    <rule id="900691" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGHELP.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SoftwareDistribution\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SystemTemp\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900692" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of DBGHELP.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Anaconda3\\+Lib\\+site\-packages\\+vtrace\\+platforms\\+windll\\+amd64\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Anaconda3\\+Lib\\+site\-packages\\+vtrace\\+platforms\\+windll\\+i386\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Epic\ Games\\+Launcher\\+Engine\\+Binaries\\+ThirdParty\\+DbgHelp\\+dbghelp\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+Epic\ Games\\+MagicLegends\\+x86\\+dbghelp\.dll)$</field>
    </rule>
    <rule id="900693" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_eacore.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential EACore.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+EACore\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Electronic\ Arts\\+EA\ Desktop\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+EACoreServer\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Electronic\ Arts\\+EA\ Desktop\\+)</field>
    </rule>
    <rule id="900694" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_edputil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Edputil.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+edputil\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900695" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential System DLL Sideloading From Non System Locations</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+shfolder\.dll|\\+activeds\.dll|\\+adsldpc\.dll|\\+aepic\.dll|\\+apphelp\.dll|\\+applicationframe\.dll|\\+appxalluserstore\.dll|\\+appxdeploymentclient\.dll|\\+archiveint\.dll|\\+atl\.dll|\\+audioses\.dll|\\+auditpolcore\.dll|\\+authfwcfg\.dll|\\+authz\.dll|\\+avrt\.dll|\\+bcd\.dll|\\+bcp47langs\.dll|\\+bcp47mrm\.dll|\\+bcrypt\.dll|\\+cabinet\.dll|\\+cabview\.dll|\\+certenroll\.dll|\\+cldapi\.dll|\\+clipc\.dll|\\+clusapi\.dll|\\+cmpbk32\.dll|\\+coloradapterclient\.dll|\\+colorui\.dll|\\+comdlg32\.dll|\\+connect\.dll|\\+coremessaging\.dll|\\+credui\.dll|\\+cryptbase\.dll|\\+cryptdll\.dll|\\+cryptui\.dll|\\+cryptxml\.dll|\\+cscapi\.dll|\\+cscobj\.dll|\\+cscui\.dll|\\+d2d1\.dll|\\+d3d10\.dll|\\+d3d10_1\.dll|\\+d3d10_1core\.dll|\\+d3d10core\.dll|\\+d3d10warp\.dll|\\+d3d11\.dll|\\+d3d12\.dll|\\+d3d9\.dll|\\+dataexchange\.dll|\\+davclnt\.dll|\\+dcomp\.dll|\\+defragproxy\.dll|\\+desktopshellext\.dll|\\+deviceassociation\.dll|\\+devicecredential\.dll|\\+devicepairing\.dll|\\+devobj\.dll|\\+devrtl\.dll|\\+dhcpcmonitor\.dll|\\+dhcpcsvc\.dll|\\+dhcpcsvc6\.dll|\\+directmanipulation\.dll|\\+dismapi\.dll|\\+dismcore\.dll|\\+dmcfgutils\.dll|\\+dmcmnutils\.dll|\\+dmenrollengine\.dll|\\+dmenterprisediagnostics\.dll|\\+dmiso8601utils\.dll|\\+dmoleaututils\.dll|\\+dmprocessxmlfiltered\.dll|\\+dmpushproxy\.dll|\\+dmxmlhelputils\.dll|\\+dnsapi\.dll|\\+dot3api\.dll|\\+dot3cfg\.dll|\\+drprov\.dll|\\+dsclient\.dll|\\+dsparse\.dll|\\+dsreg\.dll|\\+dsrole\.dll|\\+dui70\.dll|\\+duser\.dll|\\+dusmapi\.dll|\\+dwmapi\.dll|\\+dwrite\.dll|\\+dxgi\.dll|\\+dxva2\.dll|\\+eappcfg\.dll|\\+eappprxy\.dll|\\+edputil\.dll|\\+efsadu\.dll|\\+efsutil\.dll|\\+esent\.dll|\\+execmodelproxy\.dll|\\+explorerframe\.dll|\\+fastprox\.dll|\\+faultrep\.dll|\\+fddevquery\.dll|\\+feclient\.dll|\\+fhcfg\.dll|\\+firewallapi\.dll|\\+flightsettings\.dll|\\+fltlib\.dll|\\+fveapi\.dll|\\+fwbase\.dll|\\+fwcfg\.dll|\\+fwpolicyiomgr\.dll|\\+fwpuclnt\.dll|\\+getuname\.dll|\\+hid\.dll|\\+hnetmon\.dll|\\+httpapi\.dll|\\+idstore\.dll|\\+ieadvpack\.dll|\\+iedkcs32\.dll|\\+iernonce\.dll|\\+iertutil\.dll|\\+ifmon\.dll|\\+iphlpapi\.dll|\\+iri\.dll|\\+iscsidsc\.dll|\\+iscsium\.dll|\\+isv\.exe_rsaenh\.dll|\\+joinutil\.dll|\\+ksuser\.dll|\\+ktmw32\.dll|\\+licensemanagerapi\.dll|\\+licensingdiagspp\.dll|\\+linkinfo\.dll|\\+loadperf\.dll|\\+logoncli\.dll|\\+logoncontroller\.dll|\\+lpksetupproxyserv\.dll|\\+magnification\.dll|\\+mapistub\.dll|\\+mfcore\.dll|\\+mfplat\.dll|\\+mi\.dll|\\+midimap\.dll|\\+miutils\.dll|\\+mlang\.dll|\\+mmdevapi\.dll|\\+mobilenetworking\.dll|\\+mpr\.dll|\\+mprapi\.dll|\\+mrmcorer\.dll|\\+msacm32\.dll|\\+mscms\.dll|\\+mscoree\.dll|\\+msctf\.dll|\\+msctfmonitor\.dll|\\+msdrm\.dll|\\+msftedit\.dll|\\+msi\.dll|\\+msutb\.dll|\\+mswb7\.dll|\\+mswsock\.dll|\\+msxml3\.dll|\\+mtxclu\.dll|\\+napinsp\.dll|\\+ncrypt\.dll|\\+ndfapi\.dll|\\+netid\.dll|\\+netiohlp\.dll|\\+netplwiz\.dll|\\+netprofm\.dll|\\+netsetupapi\.dll|\\+netshell\.dll|\\+netutils\.dll|\\+networkexplorer\.dll|\\+newdev\.dll|\\+ninput\.dll|\\+nlaapi\.dll|\\+nlansp_c\.dll|\\+npmproxy\.dll|\\+nshhttp\.dll|\\+nshipsec\.dll|\\+nshwfp\.dll|\\+ntdsapi\.dll|\\+ntlanman\.dll|\\+ntlmshared\.dll|\\+ntmarta\.dll|\\+ntshrui\.dll|\\+oleacc\.dll|\\+omadmapi\.dll|\\+onex\.dll|\\+osbaseln\.dll|\\+osuninst\.dll|\\+p2p\.dll|\\+p2pnetsh\.dll|\\+p9np\.dll|\\+pcaui\.dll|\\+pdh\.dll|\\+peerdistsh\.dll|\\+pla\.dll|\\+pnrpnsp\.dll|\\+policymanager\.dll|\\+polstore\.dll|\\+printui\.dll|\\+propsys\.dll|\\+prvdmofcomp\.dll|\\+puiapi\.dll|\\+radcui\.dll|\\+rasapi32\.dll|\\+rasgcw\.dll|\\+rasman\.dll|\\+rasmontr\.dll|\\+reagent\.dll|\\+regapi\.dll|\\+resutils\.dll|\\+rmclient\.dll|\\+rpcnsh\.dll|\\+rsaenh\.dll|\\+rtutils\.dll|\\+rtworkq\.dll|\\+samcli\.dll|\\+samlib\.dll|\\+sapi_onecore\.dll|\\+sas\.dll|\\+scansetting\.dll|\\+scecli\.dll|\\+schedcli\.dll|\\+secur32\.dll|\\+shell32\.dll|\\+slc\.dll|\\+snmpapi\.dll|\\+spp\.dll|\\+sppc\.dll|\\+srclient\.dll|\\+srpapi\.dll|\\+srvcli\.dll|\\+ssp\.exe_rsaenh\.dll|\\+ssp_isv\.exe_rsaenh\.dll|\\+sspicli\.dll|\\+ssshim\.dll|\\+staterepository\.core\.dll|\\+structuredquery\.dll|\\+sxshared\.dll|\\+tapi32\.dll|\\+tbs\.dll|\\+tdh\.dll|\\+tquery\.dll|\\+tsworkspace\.dll|\\+ttdrecord\.dll|\\+twext\.dll|\\+twinapi\.dll|\\+twinui\.appcore\.dll|\\+uianimation\.dll|\\+uiautomationcore\.dll|\\+uireng\.dll|\\+uiribbon\.dll|\\+updatepolicy\.dll|\\+userenv\.dll|\\+utildll\.dll|\\+uxinit\.dll|\\+uxtheme\.dll|\\+vaultcli\.dll|\\+virtdisk\.dll|\\+vssapi\.dll|\\+vsstrace\.dll|\\+wbemprox\.dll|\\+wbemsvc\.dll|\\+wcmapi\.dll|\\+wcnnetsh\.dll|\\+wdi\.dll|\\+wdscore\.dll|\\+webservices\.dll|\\+wecapi\.dll|\\+wer\.dll|\\+wevtapi\.dll|\\+whhelper\.dll|\\+wimgapi\.dll|\\+winbrand\.dll|\\+windows\.storage\.dll|\\+windows\.storage\.search\.dll|\\+windowscodecs\.dll|\\+windowscodecsext\.dll|\\+windowsudk\.shellcommon\.dll|\\+winhttp\.dll|\\+wininet\.dll|\\+winipsec\.dll|\\+winmde\.dll|\\+winmm\.dll|\\+winnsi\.dll|\\+winrnr\.dll|\\+winsqlite3\.dll|\\+winsta\.dll|\\+wkscli\.dll|\\+wlanapi\.dll|\\+wlancfg\.dll|\\+wldp\.dll|\\+wlidprov\.dll|\\+wmiclnt\.dll|\\+wmidcom\.dll|\\+wmiutils\.dll|\\+wmsgapi\.dll|\\+wofutil\.dll|\\+wpdshext\.dll|\\+wshbth\.dll|\\+wshelper\.dll|\\+wtsapi32\.dll|\\+wwapi\.dll|\\+xmllite\.dll|\\+xolehlp\.dll|\\+xwizards\.dll|\\+xwtpw32\.dll|\\+aclui\.dll|\\+bderepair\.dll|\\+bootmenuux\.dll|\\+dcntel\.dll|\\+dwmcore\.dll|\\+dynamoapi\.dll|\\+fhsvcctl\.dll|\\+fxsst\.dll|\\+inproclogger\.dll|\\+iumbase\.dll|\\+kdstub\.dll|\\+maintenanceui\.dll|\\+mdmdiagnostics\.dll|\\+mintdh\.dll|\\+msdtctm\.dll|\\+nettrace\.dll|\\+osksupport\.dll|\\+reseteng\.dll|\\+resetengine\.dll|\\+spectrumsyncclient\.dll|\\+srcore\.dll|\\+systemsettingsthresholdadminflowui\.dll|\\+timesync\.dll|\\+upshared\.dll|\\+wmpdui\.dll|\\+wwancfg\.dll|\\+dpx\.dll|\\+fxsapi\.dll|\\+fxstiff\.dll|\\+xpsservices\.dll|\\+appvpolicy\.dll|\\+batmeter\.dll|\\+bootux\.dll|\\+cmutil\.dll|\\+configmanager2\.dll|\\+coredplus\.dll|\\+coreuicomponents\.dll|\\+cryptsp\.dll|\\+dmcommandlineutils\.dll|\\+drvstore\.dll|\\+dsprop\.dll|\\+dxcore\.dll|\\+edgeiso\.dll|\\+framedynos\.dll|\\+fveskybackup\.dll|\\+fvewiz\.dll|\\+gpapi\.dll|\\+icmp\.dll|\\+ifsutil\.dll|\\+iumsdk\.dll|\\+lockhostingframework\.dll|\\+lrwizdll\.dll|\\+mbaexmlparser\.dll|\\+mfc42u\.dll|\\+msiso\.dll|\\+msvcp110_win\.dll|\\+netapi32\.dll|\\+netjoin\.dll|\\+netprovfw\.dll|\\+opcservices\.dll|\\+pkeyhelper\.dll|\\+playsndsrv\.dll|\\+powrprof\.dll|\\+prntvpt\.dll|\\+profapi\.dll|\\+proximitycommon\.dll|\\+proximityservicepal\.dll|\\+rasdlg\.dll|\\+security\.dll|\\+sppcext\.dll|\\+srmtrace\.dll|\\+tpmcoreprovisioning\.dll|\\+umpdc\.dll|\\+unattend\.dll|\\+urlmon\.dll|\\+vdsutil\.dll|\\+version\.dll|\\+winbio\.dll|\\+windows\.ui\.immersive\.dll|\\+winscard\.dll|\\+winsync\.dll|\\+wscapi\.dll|\\+wsmsvc\.dll|\\+FxsCompose\.dll|\\+WfsR\.dll|\\+rpchttp\.dll|\\+storageusage\.dll|\\+amsi\.dll|\\+PrintIsolationProxy\.dll|\\+msdtcVSp1res\.dll|\\+rdpendp\.dll|\\+dxilconv\.dll|\\+utcutil\.dll|\\+appraiser\.dll|\\+dsound\.dll|\\+DispBroker\.dll|\\+FXSRESM\.DLL|\\+cryptnet\.dll|\\+COMRES\.DLL|\\+igdumdim64\.dll|\\+igd10iumd64\.dll|\\+igd12umd64\.dll|\\+igdusc64\.dll|\\+WLBSCTRL\.dll|\\+TSMSISrv\.dll|\\+TSVIPSrv\.dll|\\+wow64log\.dll|\\+WptsExtensions\.dll|\\+wbemcomn\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+\$WinREAgent\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SystemTemp\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+cscui\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+version\.dll)$</field>
    </rule>
    <rule id="900696" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential System DLL Sideloading From Non System Locations</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+shfolder\.dll|\\+activeds\.dll|\\+adsldpc\.dll|\\+aepic\.dll|\\+apphelp\.dll|\\+applicationframe\.dll|\\+appxalluserstore\.dll|\\+appxdeploymentclient\.dll|\\+archiveint\.dll|\\+atl\.dll|\\+audioses\.dll|\\+auditpolcore\.dll|\\+authfwcfg\.dll|\\+authz\.dll|\\+avrt\.dll|\\+bcd\.dll|\\+bcp47langs\.dll|\\+bcp47mrm\.dll|\\+bcrypt\.dll|\\+cabinet\.dll|\\+cabview\.dll|\\+certenroll\.dll|\\+cldapi\.dll|\\+clipc\.dll|\\+clusapi\.dll|\\+cmpbk32\.dll|\\+coloradapterclient\.dll|\\+colorui\.dll|\\+comdlg32\.dll|\\+connect\.dll|\\+coremessaging\.dll|\\+credui\.dll|\\+cryptbase\.dll|\\+cryptdll\.dll|\\+cryptui\.dll|\\+cryptxml\.dll|\\+cscapi\.dll|\\+cscobj\.dll|\\+cscui\.dll|\\+d2d1\.dll|\\+d3d10\.dll|\\+d3d10_1\.dll|\\+d3d10_1core\.dll|\\+d3d10core\.dll|\\+d3d10warp\.dll|\\+d3d11\.dll|\\+d3d12\.dll|\\+d3d9\.dll|\\+dataexchange\.dll|\\+davclnt\.dll|\\+dcomp\.dll|\\+defragproxy\.dll|\\+desktopshellext\.dll|\\+deviceassociation\.dll|\\+devicecredential\.dll|\\+devicepairing\.dll|\\+devobj\.dll|\\+devrtl\.dll|\\+dhcpcmonitor\.dll|\\+dhcpcsvc\.dll|\\+dhcpcsvc6\.dll|\\+directmanipulation\.dll|\\+dismapi\.dll|\\+dismcore\.dll|\\+dmcfgutils\.dll|\\+dmcmnutils\.dll|\\+dmenrollengine\.dll|\\+dmenterprisediagnostics\.dll|\\+dmiso8601utils\.dll|\\+dmoleaututils\.dll|\\+dmprocessxmlfiltered\.dll|\\+dmpushproxy\.dll|\\+dmxmlhelputils\.dll|\\+dnsapi\.dll|\\+dot3api\.dll|\\+dot3cfg\.dll|\\+drprov\.dll|\\+dsclient\.dll|\\+dsparse\.dll|\\+dsreg\.dll|\\+dsrole\.dll|\\+dui70\.dll|\\+duser\.dll|\\+dusmapi\.dll|\\+dwmapi\.dll|\\+dwrite\.dll|\\+dxgi\.dll|\\+dxva2\.dll|\\+eappcfg\.dll|\\+eappprxy\.dll|\\+edputil\.dll|\\+efsadu\.dll|\\+efsutil\.dll|\\+esent\.dll|\\+execmodelproxy\.dll|\\+explorerframe\.dll|\\+fastprox\.dll|\\+faultrep\.dll|\\+fddevquery\.dll|\\+feclient\.dll|\\+fhcfg\.dll|\\+firewallapi\.dll|\\+flightsettings\.dll|\\+fltlib\.dll|\\+fveapi\.dll|\\+fwbase\.dll|\\+fwcfg\.dll|\\+fwpolicyiomgr\.dll|\\+fwpuclnt\.dll|\\+getuname\.dll|\\+hid\.dll|\\+hnetmon\.dll|\\+httpapi\.dll|\\+idstore\.dll|\\+ieadvpack\.dll|\\+iedkcs32\.dll|\\+iernonce\.dll|\\+iertutil\.dll|\\+ifmon\.dll|\\+iphlpapi\.dll|\\+iri\.dll|\\+iscsidsc\.dll|\\+iscsium\.dll|\\+isv\.exe_rsaenh\.dll|\\+joinutil\.dll|\\+ksuser\.dll|\\+ktmw32\.dll|\\+licensemanagerapi\.dll|\\+licensingdiagspp\.dll|\\+linkinfo\.dll|\\+loadperf\.dll|\\+logoncli\.dll|\\+logoncontroller\.dll|\\+lpksetupproxyserv\.dll|\\+magnification\.dll|\\+mapistub\.dll|\\+mfcore\.dll|\\+mfplat\.dll|\\+mi\.dll|\\+midimap\.dll|\\+miutils\.dll|\\+mlang\.dll|\\+mmdevapi\.dll|\\+mobilenetworking\.dll|\\+mpr\.dll|\\+mprapi\.dll|\\+mrmcorer\.dll|\\+msacm32\.dll|\\+mscms\.dll|\\+mscoree\.dll|\\+msctf\.dll|\\+msctfmonitor\.dll|\\+msdrm\.dll|\\+msftedit\.dll|\\+msi\.dll|\\+msutb\.dll|\\+mswb7\.dll|\\+mswsock\.dll|\\+msxml3\.dll|\\+mtxclu\.dll|\\+napinsp\.dll|\\+ncrypt\.dll|\\+ndfapi\.dll|\\+netid\.dll|\\+netiohlp\.dll|\\+netplwiz\.dll|\\+netprofm\.dll|\\+netsetupapi\.dll|\\+netshell\.dll|\\+netutils\.dll|\\+networkexplorer\.dll|\\+newdev\.dll|\\+ninput\.dll|\\+nlaapi\.dll|\\+nlansp_c\.dll|\\+npmproxy\.dll|\\+nshhttp\.dll|\\+nshipsec\.dll|\\+nshwfp\.dll|\\+ntdsapi\.dll|\\+ntlanman\.dll|\\+ntlmshared\.dll|\\+ntmarta\.dll|\\+ntshrui\.dll|\\+oleacc\.dll|\\+omadmapi\.dll|\\+onex\.dll|\\+osbaseln\.dll|\\+osuninst\.dll|\\+p2p\.dll|\\+p2pnetsh\.dll|\\+p9np\.dll|\\+pcaui\.dll|\\+pdh\.dll|\\+peerdistsh\.dll|\\+pla\.dll|\\+pnrpnsp\.dll|\\+policymanager\.dll|\\+polstore\.dll|\\+printui\.dll|\\+propsys\.dll|\\+prvdmofcomp\.dll|\\+puiapi\.dll|\\+radcui\.dll|\\+rasapi32\.dll|\\+rasgcw\.dll|\\+rasman\.dll|\\+rasmontr\.dll|\\+reagent\.dll|\\+regapi\.dll|\\+resutils\.dll|\\+rmclient\.dll|\\+rpcnsh\.dll|\\+rsaenh\.dll|\\+rtutils\.dll|\\+rtworkq\.dll|\\+samcli\.dll|\\+samlib\.dll|\\+sapi_onecore\.dll|\\+sas\.dll|\\+scansetting\.dll|\\+scecli\.dll|\\+schedcli\.dll|\\+secur32\.dll|\\+shell32\.dll|\\+slc\.dll|\\+snmpapi\.dll|\\+spp\.dll|\\+sppc\.dll|\\+srclient\.dll|\\+srpapi\.dll|\\+srvcli\.dll|\\+ssp\.exe_rsaenh\.dll|\\+ssp_isv\.exe_rsaenh\.dll|\\+sspicli\.dll|\\+ssshim\.dll|\\+staterepository\.core\.dll|\\+structuredquery\.dll|\\+sxshared\.dll|\\+tapi32\.dll|\\+tbs\.dll|\\+tdh\.dll|\\+tquery\.dll|\\+tsworkspace\.dll|\\+ttdrecord\.dll|\\+twext\.dll|\\+twinapi\.dll|\\+twinui\.appcore\.dll|\\+uianimation\.dll|\\+uiautomationcore\.dll|\\+uireng\.dll|\\+uiribbon\.dll|\\+updatepolicy\.dll|\\+userenv\.dll|\\+utildll\.dll|\\+uxinit\.dll|\\+uxtheme\.dll|\\+vaultcli\.dll|\\+virtdisk\.dll|\\+vssapi\.dll|\\+vsstrace\.dll|\\+wbemprox\.dll|\\+wbemsvc\.dll|\\+wcmapi\.dll|\\+wcnnetsh\.dll|\\+wdi\.dll|\\+wdscore\.dll|\\+webservices\.dll|\\+wecapi\.dll|\\+wer\.dll|\\+wevtapi\.dll|\\+whhelper\.dll|\\+wimgapi\.dll|\\+winbrand\.dll|\\+windows\.storage\.dll|\\+windows\.storage\.search\.dll|\\+windowscodecs\.dll|\\+windowscodecsext\.dll|\\+windowsudk\.shellcommon\.dll|\\+winhttp\.dll|\\+wininet\.dll|\\+winipsec\.dll|\\+winmde\.dll|\\+winmm\.dll|\\+winnsi\.dll|\\+winrnr\.dll|\\+winsqlite3\.dll|\\+winsta\.dll|\\+wkscli\.dll|\\+wlanapi\.dll|\\+wlancfg\.dll|\\+wldp\.dll|\\+wlidprov\.dll|\\+wmiclnt\.dll|\\+wmidcom\.dll|\\+wmiutils\.dll|\\+wmsgapi\.dll|\\+wofutil\.dll|\\+wpdshext\.dll|\\+wshbth\.dll|\\+wshelper\.dll|\\+wtsapi32\.dll|\\+wwapi\.dll|\\+xmllite\.dll|\\+xolehlp\.dll|\\+xwizards\.dll|\\+xwtpw32\.dll|\\+aclui\.dll|\\+bderepair\.dll|\\+bootmenuux\.dll|\\+dcntel\.dll|\\+dwmcore\.dll|\\+dynamoapi\.dll|\\+fhsvcctl\.dll|\\+fxsst\.dll|\\+inproclogger\.dll|\\+iumbase\.dll|\\+kdstub\.dll|\\+maintenanceui\.dll|\\+mdmdiagnostics\.dll|\\+mintdh\.dll|\\+msdtctm\.dll|\\+nettrace\.dll|\\+osksupport\.dll|\\+reseteng\.dll|\\+resetengine\.dll|\\+spectrumsyncclient\.dll|\\+srcore\.dll|\\+systemsettingsthresholdadminflowui\.dll|\\+timesync\.dll|\\+upshared\.dll|\\+wmpdui\.dll|\\+wwancfg\.dll|\\+dpx\.dll|\\+fxsapi\.dll|\\+fxstiff\.dll|\\+xpsservices\.dll|\\+appvpolicy\.dll|\\+batmeter\.dll|\\+bootux\.dll|\\+cmutil\.dll|\\+configmanager2\.dll|\\+coredplus\.dll|\\+coreuicomponents\.dll|\\+cryptsp\.dll|\\+dmcommandlineutils\.dll|\\+drvstore\.dll|\\+dsprop\.dll|\\+dxcore\.dll|\\+edgeiso\.dll|\\+framedynos\.dll|\\+fveskybackup\.dll|\\+fvewiz\.dll|\\+gpapi\.dll|\\+icmp\.dll|\\+ifsutil\.dll|\\+iumsdk\.dll|\\+lockhostingframework\.dll|\\+lrwizdll\.dll|\\+mbaexmlparser\.dll|\\+mfc42u\.dll|\\+msiso\.dll|\\+msvcp110_win\.dll|\\+netapi32\.dll|\\+netjoin\.dll|\\+netprovfw\.dll|\\+opcservices\.dll|\\+pkeyhelper\.dll|\\+playsndsrv\.dll|\\+powrprof\.dll|\\+prntvpt\.dll|\\+profapi\.dll|\\+proximitycommon\.dll|\\+proximityservicepal\.dll|\\+rasdlg\.dll|\\+security\.dll|\\+sppcext\.dll|\\+srmtrace\.dll|\\+tpmcoreprovisioning\.dll|\\+umpdc\.dll|\\+unattend\.dll|\\+urlmon\.dll|\\+vdsutil\.dll|\\+version\.dll|\\+winbio\.dll|\\+windows\.ui\.immersive\.dll|\\+winscard\.dll|\\+winsync\.dll|\\+wscapi\.dll|\\+wsmsvc\.dll|\\+FxsCompose\.dll|\\+WfsR\.dll|\\+rpchttp\.dll|\\+storageusage\.dll|\\+amsi\.dll|\\+PrintIsolationProxy\.dll|\\+msdtcVSp1res\.dll|\\+rdpendp\.dll|\\+dxilconv\.dll|\\+utcutil\.dll|\\+appraiser\.dll|\\+dsound\.dll|\\+DispBroker\.dll|\\+FXSRESM\.DLL|\\+cryptnet\.dll|\\+COMRES\.DLL|\\+igdumdim64\.dll|\\+igd10iumd64\.dll|\\+igd12umd64\.dll|\\+igdusc64\.dll|\\+WLBSCTRL\.dll|\\+TSMSISrv\.dll|\\+TSVIPSrv\.dll|\\+wow64log\.dll|\\+WptsExtensions\.dll|\\+wbemcomn\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+mswb7\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Arsenal\-Image\-Mounter\-</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+mi\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+miutils\.dl)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+Common\ Files\\+microsoft\ shared\\+ClickToRun\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+Common\ Files\\+microsoft\ shared\\+ClickToRun\\+AppVPolicy\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+DellInc\.DellSupportAssistforPCs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+backgroundTaskHost\.exe</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WindowsApps\\+DellInc\.DellSupportAssistforPCs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+DellInc\.DellSupportAssistforPCs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wldp\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+CheckPoint\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+CheckPoint\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SmartConsole\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+CheckPoint\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+CheckPoint\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+PolicyManager\.dll)$</field>
    </rule>
    <rule id="900697" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_goopdate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Goopdate.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+goopdate\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
    </rule>
    <rule id="900698" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_goopdate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Goopdate.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+goopdate\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+GUM</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\.tmp\\+Dropbox</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+GUM</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\.tmp\\+goopdate\.dll</field>
    </rule>
    <rule id="900699" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_gup_libcurl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gup\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libcurl\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
    </rule>
    <rule id="900700" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_iviewers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Iviewers.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+iviewers\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Kits\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Kits\\+)</field>
    </rule>
    <rule id="900701" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via JsSchHlp</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+JSESPR\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Justsystem\\+JsSchHlp\\+)</field>
    </rule>
    <rule id="900702" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Libvlc.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libvlc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+VideoLAN\\+VLC\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+VideoLAN\\+VLC\\+)</field>
    </rule>
    <rule id="900703" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Mfdetours.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+mfdetours\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Windows\ Kits\\+10\\+bin\\+</field>
    </rule>
    <rule id="900704" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Unsigned Mfdetours.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+mfdetours\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Windows\ Kits\\+10\\+bin\\+</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Valid)</field>
    </rule>
    <rule id="900705" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Of Non-Existent DLLs From System Folders</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+TSMSISrv\.dll|:\\+Windows\\+System32\\+TSVIPSrv\.dll|:\\+Windows\\+System32\\+wbem\\+wbemcomn\.dll|:\\+Windows\\+System32\\+WLBSCTRL\.dll|:\\+Windows\\+System32\\+wow64log\.dll|:\\+Windows\\+System32\\+WptsExtensions\.dll)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Valid)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Microsoft\ Windows)</field>
    </rule>
    <rule id="900706" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Microsoft Office DLL Sideload</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+outllib\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+OFFICE)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+OFFICE)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+Root\\+OFFICE)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+Root\\+OFFICE)</field>
    </rule>
    <rule id="900707" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rcdll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Rcdll.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+rcdll\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Kits\\+)</field>
    </rule>
    <rule id="900708" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential RjvPlatform.DLL Sideloading From Default Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+SystemResetPlatform\\+SystemResetPlatform\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+\$SysReset\\+Framework\\+Stack\\+RjvPlatform\.dll)$</field>
    </rule>
    <rule id="900709" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential RjvPlatform.DLL Sideloading From Non-Default Location</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+RjvPlatform\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:\\+SystemResetPlatform\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+SystemResetPlatform\\+)</field>
    </rule>
    <rule id="900710" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential RoboForm.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+roboform\.dll|\\+roboform\-x64\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:\ C:\\+Program\ Files\ $x86$\\+Siber\ Systems\\+AI\ RoboForm\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:\ C:\\+Program\ Files\\+Siber\ Systems\\+AI\ RoboForm\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+robotaskbaricon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+robotaskbaricon\-x64\.exe)$</field>
    </rule>
    <rule id="900711" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shelldispatch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential ShellDispatch.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ShellDispatch\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900712" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DLL Sideloading Of ShellChromeAPI.DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+ShellChromeAPI\.dll)$</field>
    </rule>
    <rule id="900713" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential SmadHook.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+SmadHook32c\.dll|\\+SmadHook64c\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SMADAV\\+SmadavProtect32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SMADAV\\+SmadavProtect64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SMADAV\\+SmadavProtect32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SMADAV\\+SmadavProtect64\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SMADAV\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SMADAV\\+)</field>
    </rule>
    <rule id="900714" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential SolidPDFCreator.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+SolidPDFCreator\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SolidPDFCreator\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SolidDocuments\\+SolidPDFCreator\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SolidDocuments\\+SolidPDFCreator\\+)</field>
    </rule>
    <rule id="900715" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Third Party Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+commfunc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+local\\+Google\\+Chrome\\+Application\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Lenovo\\+Communications\ Utility\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Lenovo\\+Communications\ Utility\\+)</field>
    </rule>
    <rule id="900716" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Third Party Software DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+commfunc\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+tosbtkbd\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Toshiba\\+Bluetooth\ Toshiba\ Stack\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Toshiba\\+Bluetooth\ Toshiba\ Stack\\+)</field>
    </rule>
    <rule id="900717" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ualapi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Fax Service DLL Search Order Hijack</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fxssvc\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:ualapi\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900718" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Vivaldi_elf.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+vivaldi_elf\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Vivaldi\\+Application\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+Vivaldi\\+Application\\+</field>
    </rule>
    <rule id="900719" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>VMGuestLib DLL Sideload</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+vmStatsProvider\\+win32</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+vmGuestLib\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Windows\\+System32\\+wbem\\+WmiApSrv\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:true)$</field>
    </rule>
    <rule id="900720" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>VMMap Signed Dbghelp.DLL Potential Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)C:\\+Debuggers\\+dbghelp\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+vmmap\.exe|\\+vmmap64\.exe)$</field>
        <field name="win.eventdata.signed" negate="no" type="pcre2">(?i)^(?:true)$</field>
    </rule>
    <rule id="900721" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>VMMap Unsigned Dbghelp.DLL Potential Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)C:\\+Debuggers\\+dbghelp\.dll</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+vmmap\.exe|\\+vmmap64\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:true)$</field>
    </rule>
    <rule id="900722" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmware_xfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential DLL Sideloading Via VMware Xfer</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VMwareXferlogs\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+glib\-2\.0\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+VMware\\+)</field>
    </rule>
    <rule id="900723" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_waveedit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Waveedit.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+waveedit\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+waveedit\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+waveedit\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Nero\\+Nero\ Apps\\+Nero\ WaveEditor\\+)</field>
    </rule>
    <rule id="900724" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wazuh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Wazuh Security Platform DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libwazuhshared\.dll|\\+libwinpthread\-1\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900725" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wazuh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Wazuh Security Platform DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+libwazuhshared\.dll|\\+libwinpthread\-1\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)\\+ProgramData\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)(?:\\+mingw64\\+bin\\+libwinpthread\-1\.dll)$</field>
    </rule>
    <rule id="900726" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_windows_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Mpclient.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+mpclient\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MpCmdRun\.exe|\\+NisSrv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Security\ Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="900727" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.001</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential WWlib.DLL Sideloading</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wwlib\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+)</field>
    </rule>
    <rule id="900728" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>Windows Spooler Service Suspicious Binary Load</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)\\+Windows\\+System32\\+spool\\+drivers\\+x64\\+3\\+|\\+Windows\\+System32\\+spool\\+drivers\\+x64\\+4\\+</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="900729" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
        </mitre>
        <description>DLL Load By System Process From Suspicious Locations</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+Public\\+|C:\\+PerfLogs\\+)</field>
    </rule>
    <rule id="900730" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.002</id>
        </mitre>
        <description>Python Image Load By Non-Python Process</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Python\ Core)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Python</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Anaconda3\\+)</field>
    </rule>
    <rule id="900731" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.002</id>
        </mitre>
        <description>Python Image Load By Non-Python Process</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Python\ Core)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900732" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>DotNet CLR DLL Loaded By Scripting Applications</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+msxsl\.exe|\\+regsvr32\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+clr\.dll|\\+mscoree\.dll|\\+mscorlib\.dll)$</field>
    </rule>
    <rule id="900733" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218.011</id>
            <id>attack.t1218.010</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Unsigned DLL Loaded by Windows Utility</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+InstallUtil\.exe|\\+RegAsm\.exe|\\+RegSvcs\.exe|\\+regsvr32\.exe|\\+rundll32\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:errorChaining)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:errorCode_endpoint)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:errorExpired)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:trusted)</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:None)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\-)</field>
    </rule>
    <rule id="900734" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_thor_unsigned_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Suspicious Unsigned Thor Scanner Execution</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+thor\.exe|\\+thor64\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+thor\.exe|\\+thor64\.exe)$</field>
        <field name="win.eventdata.signed" negate="yes" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:valid)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Nextron\ Systems\ GmbH)</field>
    </rule>
    <rule id="900735" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Iscsicpl - ImageLoad</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+iscsicpl\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+iscsiexe\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)C:\\+Windows\\+</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)iscsiexe\.dll</field>
    </rule>
    <rule id="900736" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>UAC Bypass With Fake DLL</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dism\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+dismcore\.dll)$</field>
        <field name="win.eventdata.imageLoaded" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+Dism\\+dismcore\.dll)$</field>
    </rule>
    <rule id="900737" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>WMIC Loading Scripting Libraries</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+jscript\.dll|\\+vbscript\.dll)$</field>
    </rule>
    <rule id="900738" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Wmiprvse Wbemcomn DLL Hijack</description>
        <options>no_full_log</options>
        <group>windows,image_load,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmiprvse\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wbem\\+wbemcomn\.dll)$</field>
    </rule>
    <rule id="900739" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1546.003</id>
            <id>attack.persistence</id>
        </mitre>
        <description>WMI Persistence - Command Line Event Consumer</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+wbemcons\.dll)$</field>
    </rule>
    <rule id="900740" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious WSMAN Provider Image Loads</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.imageLoaded" negate="no" type="pcre2">(?i)(?:\\+WsmSvc\.dll|\\+WsmAuto\.dll|\\+Microsoft\.WSMan\.Management\.ni\.dll)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:WsmSvc\.dll|WSMANAUTOMATION\.DLL|Microsoft\.WSMan\.Management\.dll)$</field>
    </rule>
    <rule id="900741" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious WSMAN Provider Image Loads</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:WsmWmiPl\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Windows\\+System32\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ BITS</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ GraphicsPerfSvcGroup\ \-s\ GraphicsPerfSvc</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ NetworkService\ \-p\ \-s\ Wecsvc</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)svchost\.exe\ \-k\ netsvcs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework64\\+v)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework\\+v)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mscorsvw\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+Configure\-SMRemoting\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+ServerManager\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+asgard2\-agent\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Citrix\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+\$WINDOWS\.\~BT\\+Sources\\+)</field>
    </rule>
    <rule id="900742" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious WSMAN Provider Image Loads</description>
        <options>no_full_log</options>
        <group>image_load,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:WsmWmiPl\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900743" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_addinutil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Network Connection Initiated By AddinUtil.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
    </rule>
    <rule id="900744" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Connection Initiated Via Certutil.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:80|135|443|445)$</field>
    </rule>
    <rule id="900745" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
        </mitre>
        <description>Dllhost.EXE Initiated Network Connection To Non-Local IP Address</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.184\.0\.0/13)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.192\.0\.0/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:23\.72\.0\.0/13)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.10\.0\.0/15)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.103\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.104\.0\.0/15)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:52\.224\.0\.0/11)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:204\.79\.197\.0/24)</field>
    </rule>
    <rule id="900746" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Network Connection Initiated To Mega.nz</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:mega\.co\.nz|mega\.nz)$</field>
    </rule>
    <rule id="900747" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Process Initiated Network  Connection To Ngrok Domain</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.ngrok\-free\.app|\.ngrok\-free\.dev|\.ngrok\.app|\.ngrok\.dev|\.ngrok\.io)$</field>
    </rule>
    <rule id="900748" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.command_and_control</id>
            <id>attack.t1567</id>
            <id>attack.t1568.002</id>
            <id>attack.t1572</id>
            <id>attack.t1090</id>
            <id>attack.t1102</id>
            <id>attack.s0508</id>
        </mitre>
        <description>Communication To Ngrok Tunneling Service Initiated</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)tunnel\.us\.ngrok\.com|tunnel\.eu\.ngrok\.com|tunnel\.ap\.ngrok\.com|tunnel\.au\.ngrok\.com|tunnel\.sa\.ngrok\.com|tunnel\.jp\.ngrok\.com|tunnel\.in\.ngrok\.com</field>
    </rule>
    <rule id="900749" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
        </mitre>
        <description>Equation Editor Network Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+eqnedt32\.exe)$</field>
    </rule>
    <rule id="900750" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Network Connection Initiated By IMEWDBLD.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+IMEWDBLD\.exe)$</field>
    </rule>
    <rule id="900751" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec_http.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>Msiexec.EXE Initiated Network Connection Over HTTP</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:80|443)$</field>
    </rule>
    <rule id="900752" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Network Connection Initiated Via Notepad.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+notepad\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:9100)$</field>
    </rule>
    <rule id="900753" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Potentially Suspicious Network Connection To Notion API</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)api\.notion\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Notion\\+Notion\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900754" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
        </mitre>
        <description>Office Application Initiated Network Connection To Non-Local IP</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+powerpnt\.exe|\\+winword\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.184\.0\.0/13)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.192\.0\.0/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:23\.72\.0\.0/13)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.10\.0\.0/15)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.103\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.104\.0\.0/15)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:204\.79\.197\.0/24)</field>
    </rule>
    <rule id="900755" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Office Application Initiated Network Connection Over Uncommon Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+excel\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:53)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:80)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:139)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:443)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:445)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:465)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:587)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:993)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:995)$</field>
    </rule>
    <rule id="900756" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>Python Initiated Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)python</field>
        <field name="win.eventdata.destinationIp" negate="yes" type="pcre2">(?i)^(?:127\.0\.0\.1)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.1)</field>
    </rule>
    <rule id="900757" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>Python Initiated Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)python</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Anaconda3\\+Scripts\\+conda\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Anaconda3\\+Scripts\\+conda\-script\.py</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)update</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Anaconda3\\+python\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Anaconda3\\+Scripts\\+jupyter\-notebook\-script\.py</field>
    </rule>
    <rule id="900758" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Outbound RDP Connections Over Non-Standard Tools</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:3389)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+mstsc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+mstsc\.exe)$</field>
    </rule>
    <rule id="900759" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Outbound RDP Connections Over Non-Standard Tools</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:3389)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+dns\.exe)$</field>
        <field name="win.eventdata.sourcePort" negate="yes" type="pcre2">(?i)^(?:53)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:udp)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Avast\ Software\\+Avast\\+AvastSvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Avast\\+AvastSvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RDCMan\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+FSAssessment\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+FSDiscovery\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MobaRTE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mRemote\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mRemoteNG\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Passwordstate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RemoteDesktopManager\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RemoteDesktopManager64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RemoteDesktopManagerFree\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RSSensor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RTS2App\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+RTSApp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+spiceworks\-finder\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Terminals\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ws_TunnelService\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SplunkUniversalForwarder\\+bin\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Ranger\\+SentinelRanger\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+TSplus\\+Java\\+bin\\+HTML5service\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+TSplus\\+Java\\+bin\\+HTML5service\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:&lt;unknown\ process&gt;)$</field>
    </rule>
    <rule id="900760" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>RDP to HTTP or HTTPS Target Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.sourcePort" negate="no" type="pcre2">(?i)^(?:3389)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:80|443)$</field>
    </rule>
    <rule id="900761" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Network Connection Initiated By Regsvr32.EXE</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
    </rule>
    <rule id="900762" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.execution</id>
        </mitre>
        <description>Rundll32 Internet Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.103\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.104\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.105\.0\.0/16)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+system32\\+PcaSvc\.dll,PcaPatchSdbTask)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\.internal\.cloudapp\.net)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:443)$</field>
    </rule>
    <rule id="900763" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Script Initiated Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
    </rule>
    <rule id="900764" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Script Initiated Connection to Non-Local Network</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.0\.0\.0/11)</field>
    </rule>
    <rule id="900765" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1127.001</id>
        </mitre>
        <description>Silenttrinity Stager Msbuild Activity</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msbuild\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:80|443)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
    </rule>
    <rule id="900766" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Network Connection Binary No CommandLine</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe|\\+rundll32\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe|\\+rundll32\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900767" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.003</id>
        </mitre>
        <description>Cmstp Making Network Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
    </rule>
    <rule id="900768" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1496</id>
        </mitre>
        <description>Network Communication With Crypto Mining Pool</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)^(?:alimabi\.cn|ap\.luckpool\.net|bcn\.pool\.minergate\.com|bcn\.vip\.pool\.minergate\.com|bohemianpool\.com|ca\-aipg\.miningocean\.org|ca\-dynex\.miningocean\.org|ca\-neurai\.miningocean\.org|ca\-qrl\.miningocean\.org|ca\-upx\.miningocean\.org|ca\-zephyr\.miningocean\.org|ca\.minexmr\.com|ca\.monero\.herominers\.com|cbd\.monerpool\.org|cbdv2\.monerpool\.org|cryptmonero\.com|crypto\-pool\.fr|crypto\-pool\.info|cryptonight\-hub\.miningpoolhub\.com|d1pool\.ddns\.net|d5pool\.us|daili01\.monerpool\.org|de\-aipg\.miningocean\.org|de\-dynex\.miningocean\.org|de\-zephyr\.miningocean\.org|de\.minexmr\.com|dl\.nbminer\.com|donate\.graef\.in|donate\.ssl\.xmrig\.com|donate\.v2\.xmrig\.com|donate\.xmrig\.com|donate2\.graef\.in|drill\.moneroworld\.com|dwarfpool\.com|emercoin\.com|emercoin\.net|emergate\.net|ethereumpool\.co|eu\.luckpool\.net|eu\.minerpool\.pw|fcn\-xmr\.pool\.minergate\.com|fee\.xmrig\.com|fr\-aipg\.miningocean\.org|fr\-dynex\.miningocean\.org|fr\-neurai\.miningocean\.org|fr\-qrl\.miningocean\.org|fr\-upx\.miningocean\.org|fr\-zephyr\.miningocean\.org|fr\.minexmr\.com|hellominer\.com|herominers\.com|hk\-aipg\.miningocean\.org|hk\-dynex\.miningocean\.org|hk\-neurai\.miningocean\.org|hk\-qrl\.miningocean\.org|hk\-upx\.miningocean\.org|hk\-zephyr\.miningocean\.org|huadong1\-aeon\.ppxxmr\.com|iwanttoearn\.money|jw\-js1\.ppxxmr\.com|koto\-pool\.work|lhr\.nbminer\.com|lhr3\.nbminer\.com|linux\.monerpool\.org|lokiturtle\.herominers\.com|luckpool\.net|masari\.miner\.rocks|mine\.c3pool\.com|mine\.moneropool\.com|mine\.ppxxmr\.com|mine\.zpool\.ca|mine1\.ppxxmr\.com|minemonero\.gq|miner\.ppxxmr\.com|miner\.rocks|minercircle\.com|minergate\.com|minerpool\.pw|minerrocks\.com|miners\.pro|minerxmr\.ru|minexmr\.cn|minexmr\.com|mining\-help\.ru|miningpoolhub\.com|mixpools\.org|moner\.monerpool\.org|moner1min\.monerpool\.org|monero\-master\.crypto\-pool\.fr|monero\.crypto\-pool\.fr|monero\.hashvault\.pro|monero\.herominers\.com|monero\.lindon\-pool\.win|monero\.miners\.pro|monero\.riefly\.id|monero\.us\.to|monerocean\.stream|monerogb\.com|monerohash\.com|moneroocean\.stream|moneropool\.com|moneropool\.nl|monerorx\.com|monerpool\.org|moriaxmr\.com|mro\.pool\.minergate\.com|multipool\.us|myxmr\.pw|na\.luckpool\.net|nanopool\.org|nbminer\.com|node3\.luckpool\.net|noobxmr\.com|pangolinminer\.comgandalph3000\.com|pool\.4i7i\.com|pool\.armornetwork\.org|pool\.cortins\.tk|pool\.gntl\.co\.uk|pool\.hashvault\.pro|pool\.minergate\.com|pool\.minexmr\.com|pool\.monero\.hashvault\.pro|pool\.ppxxmr\.com|pool\.somec\.cc|pool\.support|pool\.supportxmr\.com|pool\.usa\-138\.com|pool\.xmr\.pt|pool\.xmrfast\.com|pool2\.armornetwork\.org|poolchange\.ppxxmr\.com|pooldd\.com|poolmining\.org|poolto\.be|ppxvip1\.ppxxmr\.com|ppxxmr\.com|prohash\.net|r\.twotouchauthentication\.online|randomx\.xmrig\.com|ratchetmining\.com|seed\.emercoin\.com|seed\.emercoin\.net|seed\.emergate\.net|seed1\.joulecoin\.org|seed2\.joulecoin\.org|seed3\.joulecoin\.org|seed4\.joulecoin\.org|seed5\.joulecoin\.org|seed6\.joulecoin\.org|seed7\.joulecoin\.org|seed8\.joulecoin\.org|sg\-aipg\.miningocean\.org|sg\-dynex\.miningocean\.org|sg\-neurai\.miningocean\.org|sg\-qrl\.miningocean\.org|sg\-upx\.miningocean\.org|sg\-zephyr\.miningocean\.org|sg\.minexmr\.com|sheepman\.mine\.bz|siamining\.com|sumokoin\.minerrocks\.com|supportxmr\.com|suprnova\.cc|teracycle\.net|trtl\.cnpool\.cc|trtl\.pool\.mine2gether\.com|turtle\.miner\.rocks|us\-aipg\.miningocean\.org|us\-dynex\.miningocean\.org|us\-neurai\.miningocean\.org|us\-west\.minexmr\.com|us\-zephyr\.miningocean\.org|usxmrpool\.com|viaxmr\.com|webservicepag\.webhop\.net|xiazai\.monerpool\.org|xiazai1\.monerpool\.org|xmc\.pool\.minergate\.com|xmo\.pool\.minergate\.com|xmr\-asia1\.nanopool\.org|xmr\-au1\.nanopool\.org|xmr\-eu1\.nanopool\.org|xmr\-eu2\.nanopool\.org|xmr\-jp1\.nanopool\.org|xmr\-us\-east1\.nanopool\.org|xmr\-us\-west1\.nanopool\.org|xmr\-us\.suprnova\.cc|xmr\-usa\.dwarfpool\.com|xmr\.2miners\.com|xmr\.5b6b7b\.ru|xmr\.alimabi\.cn|xmr\.bohemianpool\.com|xmr\.crypto\-pool\.fr|xmr\.crypto\-pool\.info|xmr\.f2pool\.com|xmr\.hashcity\.org|xmr\.hex7e4\.ru|xmr\.ip28\.net|xmr\.monerpool\.org|xmr\.mypool\.online|xmr\.nanopool\.org|xmr\.pool\.gntl\.co\.uk|xmr\.pool\.minergate\.com|xmr\.poolto\.be|xmr\.ppxxmr\.com|xmr\.prohash\.net|xmr\.simka\.pw|xmr\.somec\.cc|xmr\.suprnova\.cc|xmr\.usa\-138\.com|xmr\.vip\.pool\.minergate\.com|xmr1min\.monerpool\.org|xmrf\.520fjh\.org|xmrf\.fjhan\.club|xmrfast\.com|xmrigcc\.graef\.in|xmrminer\.cc|xmrpool\.de|xmrpool\.eu|xmrpool\.me|xmrpool\.net|xmrpool\.xyz|xx11m\.monerpool\.org|xx11mv2\.monerpool\.org|xxx\.hex7e4\.ru|zarabotaibitok\.ru|zer0day\.ru)$</field>
    </rule>
    <rule id="900769" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
            <id>attack.t1102.001</id>
        </mitre>
        <description>Potential Dead Drop Resolvers</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.t\.me|4shared\.com|anonfiles\.com|cdn\.discordapp\.com|cloudflare\.com|ddns\.net|discord\.com|docs\.google\.com|drive\.google\.com|dropbox\.com|dropmefiles\.com|facebook\.com|feeds\.rapidfeeds\.com|fotolog\.com|ghostbin\.co/|githubusercontent\.com|gofile\.io|hastebin\.com|imgur\.com|livejournal\.com|mediafire\.com|mega\.co\.nz|mega\.nz|onedrive\.com|paste\.ee|pastebin\.com|pastebin\.pl|pastetext\.net|privatlab\.com|privatlab\.net|reddit\.com|send\.exploit\.in|sendspace\.com|steamcommunity\.com|storage\.googleapis\.com|technet\.microsoft\.com|temp\.sh|transfer\.sh|twitter\.com|ufile\.io|abuse\.ch|vimeo\.com|wetransfer\.com|youtube\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Safari\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Safari\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Defender\ Advanced\ Threat\ Protection\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsSense\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\ $x86$\\+PRTG\ Network\ Monitor\\+PRTG\ Probe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+PRTG\ Network\ Monitor\\+PRTG\ Probe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+BraveSoftware\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Maxthon\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+Opera\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SeaMonkey\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Vivaldi\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Naver\\+Naver\ Whale\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Waterfox\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Waterfox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+midori\-ng\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Midori\ Next\ Generation\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SlimBrowser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+slimbrowser\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Flock\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Flock\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Phoebe\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Phoebe\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Falkon\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+falkon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+QtWeb\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+QtWeb\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+QtWeb\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Avant\ Browser\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+avant\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+WindowsApps\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WhatsApp\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:facebook\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Telegram\ Desktop\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Telegram\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:\.t\.me)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OneDrive\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:onedrive\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Dropbox\\+Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Dropbox\\+Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Dropbox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+DropboxInstaller\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:dropbox\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsync\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsyncSetup32_.+RC\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsyncSetup32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAsyncSetup64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MEGAupdater\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:mega\.co\.nz)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:mega\.nz)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:GoogleDriveFS\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:drive\.google\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Discord\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Discord\.exe)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:discord\.com)$</field>
        <field name="win.eventdata.destinationHostname" negate="yes" type="pcre2">(?i)(?:cdn\.discordapp\.com)$</field>
    </rule>
    <rule id="900770" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Network Connection Initiated To DevTunnels Domain</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.devtunnels\.ms)$</field>
    </rule>
    <rule id="900771" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Dropbox API Usage</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:api\.dropboxapi\.com|content\.dropboxapi\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Dropbox</field>
    </rule>
    <rule id="900772" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1016</id>
        </mitre>
        <description>Suspicious Network Connection to IP Lookup Service APIs</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)^(?:www\.ip\.cn|l2\.io)$</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)api\.2ip\.ua|api\.bigdatacloud\.net|api\.ipify\.org|bot\.whatismyipaddress\.com|canireachthe\.net|checkip\.amazonaws\.com|checkip\.dyndns\.org|curlmyip\.com|db\-ip\.com|edns\.ip\-api\.com|eth0\.me|freegeoip\.app|geoipy\.com|getip\.pro|icanhazip\.com|ident\.me|ifconfig\.io|ifconfig\.me|ip\-api\.com|ip\.360\.cn|ip\.anysrc\.net|ip\.taobao\.com|ip\.tyk\.nu|ipaddressworld\.com|ipapi\.co|ipconfig\.io|ipecho\.net|ipinfo\.io|ipip\.net|ipof\.in|ipv4\.icanhazip\.com|ipv4bot\.whatismyipaddress\.com|ipv6\-test\.com|ipwho\.is|jsonip\.com|myexternalip\.com|seeip\.org|wgetip\.com|whatismyip\.akamai\.com|whois\.pconline\.com\.cn|wtfismyip\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900773" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Suspicious Non-Browser Network Communication With Google API</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)drive\.googleapis\.com|oauth2\.googleapis\.com|sheets\.googleapis\.com|www\.googleapis\.com</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+GoogleDriveFS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\\+EdgeCore\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+GoogleUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+teams\.exe)$</field>
    </rule>
    <rule id="900774" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Potentially Suspicious Malware Callback Communication</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:100|198|200|243|473|666|700|743|777|1443|1515|1777|1817|1904|1960|2443|2448|3360|3675|3939|4040|4433|4438|4443|4444|4455|5445|5552|5649|6625|7210|7777|8143|8843|9631|9943|10101|12102|12103|12322|13145|13394|13504|13505|13506|13507|14102|14103|14154|49180|65520|65535)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
    </rule>
    <rule id="900775" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Potentially Suspicious Malware Callback Communication</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:100|198|200|243|473|666|700|743|777|1443|1515|1777|1817|1904|1960|2443|2448|3360|3675|3939|4040|4433|4438|4443|4444|4455|5445|5552|5649|6625|7210|7777|8143|8843|9631|9943|10101|12102|12103|12322|13145|13394|13504|13505|13506|13507|14102|14103|14154|49180|65520|65535)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900776" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Communication To Uncommon Destination Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:8080|8888)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
    </rule>
    <rule id="900777" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Communication To Uncommon Destination Ports</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:8080|8888)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="900778" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:88)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+lsass\.exe)$</field>
    </rule>
    <rule id="900779" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>Uncommon Outbound Kerberos Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:88)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+tomcat\\+bin\\+tomcat8\.exe)$</field>
    </rule>
    <rule id="900780" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1055</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Microsoft Sync Center Suspicious Network Connections</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mobsync\.exe)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
    </rule>
    <rule id="900781" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>Suspicious Outbound SMTP Connections</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:25|587|465|2525)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thunderbird\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+microsoft\.windowscommunicationsapps_)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+HxTsr\.exe)$</field>
    </rule>
    <rule id="900782" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Program Location with Network Connections</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+\$Recycle\.bin|:\\+Perflogs\\+|:\\+Users\\+Default\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Fonts\\+|:\\+Windows\\+IME\\+|\\+config\\+systemprofile\\+|\\+Windows\\+addins\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+Public\\+IBM\\+ClientSolutions\\+Start_Programs\\+</field>
    </rule>
    <rule id="900783" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Potential Remote PowerShell Session Initiated</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:5985|5986)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:false)</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)NETWORK\ SERVICE</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)NETZWERKDIENST</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SERVICIO\ DE\ RED</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SERVIZIO\ DI\ RETE</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SERVICE\ R</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)SEAU</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.1)</field>
        <field name="win.eventdata.destinationIp" negate="yes" type="pcre2">(?i)^(?:::1)$</field>
        <field name="win.eventdata.destinationIp" negate="yes" type="pcre2">(?i)^(?:127\.0\.0\.1)$</field>
    </rule>
    <rule id="900784" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Potential Remote PowerShell Session Initiated</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationPort" negate="no" type="pcre2">(?i)^(?:5985|5986)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:false)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Avast\ Software\\+Avast\\+AvastSvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Avast\ Software\\+Avast\\+AvastSvc\.exe)$</field>
    </rule>
    <rule id="900785" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Suspicious Non-Browser Network Communication With Telegram API</description>
        <options>no_full_log</options>
        <group>windows,network_connection,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)api\.telegram\.org</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+brave\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Chrome\\+Application\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Mozilla\ Firefox\\+firefox\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Internet\ Explorer\\+iexplore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+maxthon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+Application\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+EdgeCore\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+safari\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+seamonkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whale\.exe)$</field>
    </rule>
    <rule id="900786" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.001</id>
        </mitre>
        <description>Network Connection Initiated To Visual Studio Code Tunnels Domain</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.destinationHostname" negate="no" type="pcre2">(?i)(?:\.tunnels\.api\.visualstudio\.com)$</field>
    </rule>
    <rule id="900787" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.command_and_control</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Outbound Network Connection To Public IP Via Winlogon</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winlogon\.exe)$</field>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
    </rule>
    <rule id="900788" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
        </mitre>
        <description>Suspicious Wordpad Outbound Connections</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.initiated" negate="no" type="pcre2">(?i)^(?:true)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wordpad\.exe)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:80)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:139)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:443)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:445)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:465)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:587)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:993)$</field>
        <field name="win.eventdata.destinationPort" negate="yes" type="pcre2">(?i)^(?:995)$</field>
    </rule>
    <rule id="900789" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Wuauclt Network Connection</description>
        <options>no_full_log</options>
        <group>network_connection,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)wuauclt</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /RunHandlerComServer</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:127\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:10\.0\.0\.0/8)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:169\.254\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:172\.16\.0\.0/12)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:192\.168\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:::1/128)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fe80::/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:fc00::/7)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.184\.0\.0/13)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:20\.192\.0\.0/10)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:23\.79\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.10\.0\.0/15)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.103\.0\.0/16)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:51\.104\.0\.0/15)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:52\.224\.0\.0/11)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+Packages\\+Preview\\+amd64\\+updatedeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+amd64\\+UpdateDeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+UpdateDeploy\.dll\ /ClassId\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="900790" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1005</id>
        </mitre>
        <description>ADFS Database Named Pipe Connection By Uncommon Tool</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+MICROSOFT\#\#WID\\+tsql\\+query)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+WID\\+Binn\\+sqlwriter\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AzureADConnect\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.Identity\.Health\.Adfs\.PshSurrogate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.IdentityServer\.ServiceHost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.Tri\.Sensor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+tssdis\.exe)$</field>
    </rule>
    <rule id="900791" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+MSSE\-</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\-server</field>
    </rule>
    <rule id="900792" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+postex_)</field>
    </rule>
    <rule id="900793" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+status_)</field>
    </rule>
    <rule id="900794" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+msagent_)</field>
    </rule>
    <rule id="900795" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+mojo_)</field>
    </rule>
    <rule id="900796" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+interprocess_)</field>
    </rule>
    <rule id="900797" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+samr_)</field>
    </rule>
    <rule id="900798" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+netlogon_)</field>
    </rule>
    <rule id="900799" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+srvsvc_)</field>
    </rule>
    <rule id="900800" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+lsarpc_)</field>
    </rule>
    <rule id="900801" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+wkssvc_)</field>
    </rule>
    <rule id="900802" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>CobaltStrike Named Pipe Pattern Regex</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+wkssvc_?[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+ntsvcs[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+DserNamePipe[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+SearchTextHarvester[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+mypipe-(?:f|h)[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+windows\.update\.manager[0-9a-f]{2,3}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+ntsvcs_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+scerpc_?[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+PGMessagePipe[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+MsFteWds[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+f4c3[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+fullduplex_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+msrpc_[0-9a-f]{4}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+win\\+msrpc_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+f53f[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+rpc_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+spoolss_[0-9a-f]{2}</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+Winsock2\\+CatalogChangeListener-[0-9a-f]{3}-0,</field>
    </rule>
    <rule id="900803" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+DserNamePipe|\\+f4c3|\\+f53f|\\+fullduplex_|\\+mojo\.5688\.8052\.183894939787088877|\\+mojo\.5688\.8052\.35780273329370473|\\+MsFteWds|\\+msrpc_|\\+mypipe\-f|\\+mypipe\-h|\\+ntsvcs|\\+PGMessagePipe|\\+rpc_|\\+scerpc|\\+SearchTextHarvester|\\+spoolss|\\+win_svc|\\+win\\+msrpc_|\\+windows\.update\.manager|\\+wkssvc)</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+demoagent_11|\\+demoagent_22)$</field>
    </rule>
    <rule id="900804" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+Winsock2\\+CatalogChangeListener\-)</field>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)(?:\-0,)$</field>
    </rule>
    <rule id="900805" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+wkssvc)$</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+spoolss)$</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+scerpc)$</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+ntsvcs)$</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+SearchTextHarvester)$</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+PGMessagePipe)$</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+MsFteWds)$</field>
    </rule>
    <rule id="900806" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>stp.1k</id>
        </mitre>
        <description>CobaltStrike Named Pipe Patterns</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Websense\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Websense\\+</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+DserNamePipeR)</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+DserNamePipeW)</field>
    </rule>
    <rule id="900807" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Named Pipe Creation</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+coerced\\+</field>
    </rule>
    <rule id="900808" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>HackTool - DiagTrackEoP Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)thisispipe</field>
    </rule>
    <rule id="900809" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - EfsPotato Named Pipe Creation</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+pipe\\+|\\+pipe\\+srvsvc</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)\\+CtxShare</field>
        <field name="win.eventdata.pipeName" negate="yes" type="pcre2">(?i)^(?:\\+pipe\\+)</field>
    </rule>
    <rule id="900810" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
        </mitre>
        <description>HackTool - Credential Dumping Tools Named Pipe Created</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+cachedump|\\+lsadump|\\+wceservicepipe</field>
    </rule>
    <rule id="900811" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
            <id>attack.t1134.001</id>
        </mitre>
        <description>HackTool - Koh Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+imposecost|\\+imposingcost</field>
    </rule>
    <rule id="900812" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Alternate PowerShell Hosts Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PSHost)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+dsac\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+inetsrv\\+w3wp\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+sdiagnhost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+ServerManager\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+wbem\\+wmiprvse\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+wsmprovhost\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell_ise\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\ SQL\ Server\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Tools\\+Binn\\+SQLPS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="900813" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Alternate PowerShell Hosts Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PSHost)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Citrix\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+</field>
    </rule>
    <rule id="900814" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>New PowerShell Instance Created</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PSHost)</field>
    </rule>
    <rule id="900815" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - CSExec Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+csexecsvc</field>
    </rule>
    <rule id="900816" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - PAExec Default Named Pipe</description>
        <options>no_full_log</options>
        <group>pipe_created,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PAExec)</field>
    </rule>
    <rule id="900817" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - RemCom Default Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)\\+RemCom</field>
    </rule>
    <rule id="900818" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1047</id>
            <id>attack.execution</id>
        </mitre>
        <description>WMI Event Consumer Created Named Pipe</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+scrcons\.exe)$</field>
    </rule>
    <rule id="900819" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Malicious Named Pipe Created</description>
        <options>no_full_log</options>
        <group>windows,pipe_created,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+46a676ab7f179e511e30dd2dc41bd388|\\+583da945\-62af\-10e8\-4902\-a8f205c72b2e|\\+6e7645c4\-32c5\-4fe3\-aabf\-e94c2f4370e7|\\+9f81f59bc58452127884ce513865ed20|\\+adschemerpc|\\+ahexec|\\+AnonymousPipe|\\+bc31a7|\\+bc367|\\+bizkaz|\\+csexecsvc|\\+dce_3d|\\+e710f28d59aa529d6792ca6ff0ca1b34|\\+gruntsvc|\\+isapi_dg|\\+isapi_dg2|\\+isapi_http|\\+jaccdpqnvbrrxlaf|\\+lsassw|\\+NamePipe_MoreWindows|\\+pcheap_reuse|\\+Posh.+|\\+rpchlp_3|\\+sdlrpc|\\+svcctl|\\+testPipe|\\+winsession)$</field>
    </rule>
    <rule id="900820" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PsExec Tool Execution From Suspicious Locations - PipeName</description>
        <options>no_full_log</options>
        <group>pipe_created,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.pipeName" negate="no" type="pcre2">(?i)^(?:\\+PSEXESVC)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+</field>
    </rule>
    <rule id="900821" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Nslookup PowerShell Download Cradle</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)powershell</field>
        <field name="full_log" negate="no" type="pcre2">(?i)nslookup</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\[1\]</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-q=txt\ http|\-querytype=txt\ http</field>
    </rule>
    <rule id="900822" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Delete Volume Shadow Copies Via WMI With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Get\-WmiObject</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Win32_Shadowcopy</field>
        <field name="full_log" negate="no" type="pcre2">(?i)Delete|Remove\-WmiObject</field>
    </rule>
    <rule id="900823" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Downgrade Attack - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)EngineVersion=2\.</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostVersion=2\.</field>
    </rule>
    <rule id="900824" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1095</id>
        </mitre>
        <description>Netcat The Powershell Version</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)powercat\ |powercat\.ps1</field>
    </rule>
    <rule id="900825" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential RemoteFXvGPUDisablement.EXE Abuse</description>
        <options>no_full_log</options>
        <group>windows,powershell-classic,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)ModuleContents=function\ Get\-VMRemoteFXPhysicalVideoAdapter\ \{</field>
    </rule>
    <rule id="900826" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Remote PowerShell Session (PS Classic)</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)HostName=ServerRemoteHost</field>
        <field name="full_log" negate="no" type="pcre2">(?i)wsmprovhost\.exe</field>
    </rule>
    <rule id="900827" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Renamed Powershell Under Powershell Channel</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)HostName=ConsoleHost</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/System32/WindowsPowerShell/v1\.0/powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1\.0/powershell</field>
    </rule>
    <rule id="900828" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1049</id>
        </mitre>
        <description>Use Get-NetTCPConnection</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Get\-NetTCPConnection</field>
    </rule>
    <rule id="900829" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Zip A Folder With PowerShell For Staging In Temp - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,powershell-classic,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP|Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+|Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900830" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper Windows Defender - PSClassic</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_provider_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Set\-MpPreference</field>
        <field name="full_log" negate="no" type="pcre2">(?i)\-dbaf\ \$true|\-dbaf\ 1|\-dbm\ \$true|\-dbm\ 1|\-dips\ \$true|\-dips\ 1|\-DisableArchiveScanning\ \$true|\-DisableArchiveScanning\ 1|\-DisableBehaviorMonitoring\ \$true|\-DisableBehaviorMonitoring\ 1|\-DisableBlockAtFirstSeen\ \$true|\-DisableBlockAtFirstSeen\ 1|\-DisableCatchupFullScan\ \$true|\-DisableCatchupFullScan\ 1|\-DisableCatchupQuickScan\ \$true|\-DisableCatchupQuickScan\ 1|\-DisableIntrusionPreventionSystem\ \$true|\-DisableIntrusionPreventionSystem\ 1|\-DisableIOAVProtection\ \$true|\-DisableIOAVProtection\ 1|\-DisableRealtimeMonitoring\ \$true|\-DisableRealtimeMonitoring\ 1|\-DisableRemovableDriveScanning\ \$true|\-DisableRemovableDriveScanning\ 1|\-DisableScanningMappedNetworkDrivesForFullScan\ \$true|\-DisableScanningMappedNetworkDrivesForFullScan\ 1|\-DisableScanningNetworkFiles\ \$true|\-DisableScanningNetworkFiles\ 1|\-DisableScriptScanning\ \$true|\-DisableScriptScanning\ 1|\-MAPSReporting\ \$false|\-MAPSReporting\ 0|\-drdsc\ \$true|\-drdsc\ 1|\-drtm\ \$true|\-drtm\ 1|\-dscrptsc\ \$true|\-dscrptsc\ 1|\-dsmndf\ \$true|\-dsmndf\ 1|\-dsnf\ \$true|\-dsnf\ 1|\-dss\ \$true|\-dss\ 1</field>
    </rule>
    <rule id="900831" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper Windows Defender - PSClassic</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_provider_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)Set\-MpPreference</field>
        <field name="full_log" negate="no" type="pcre2">(?i)HighThreatDefaultAction\ Allow|htdefac\ Allow|LowThreatDefaultAction\ Allow|ltdefac\ Allow|ModerateThreatDefaultAction\ Allow|mtdefac\ Allow|SevereThreatDefaultAction\ Allow|stdefac\ Allow</field>
    </rule>
    <rule id="900832" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>Suspicious Non PowerShell WSMAN COM Provider</description>
        <options>no_full_log</options>
        <group>windows,powershell-classic,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)ProviderName=WSMan</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/System32/WindowsPowerShell/v1\.0/powershell</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1\.0/powershell</field>
    </rule>
    <rule id="900833" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious XOR Encoded PowerShell Command Line - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_classic_start,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)HostName=ConsoleHost</field>
        <field name="full_log" negate="no" type="pcre2">(?i)bxor|char|join</field>
    </rule>
    <rule id="900834" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Alternate PowerShell Hosts - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i).+</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:/Windows/System32/WindowsPowerShell/v1\.0/powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:/Windows/SysWOW64/WindowsPowerShell/v1\.0/powershell</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)=\ C:\\+WINDOWS\\+System32\\+sdiagnhost\.exe\ \-Embedding</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)ConfigSyncRun\.exe</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+dsac\.exe</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)C:\\+Windows\\+system32\\+wsmprovhost\.exe\ \-Embedding</field>
        <field name="win.eventdata.payload" negate="yes" type="pcre2">(?i)Update\-Help</field>
        <field name="win.eventdata.payload" negate="yes" type="pcre2">(?i)Failed\ to\ update\ Help\ for\ the\ module</field>
    </rule>
    <rule id="900835" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Bad Opsec Powershell Code Artifacts</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$DoIt|harmj0y|mattifestation|_RastaMouse|tifkin_|0xdeadbeef</field>
    </rule>
    <rule id="900836" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)вЂ“HistorySaveStyle</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900837" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\-HistorySaveStyle</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900838" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
        </mitre>
        <description>PowerShell Decompress Commands</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Expand\-Archive</field>
    </rule>
    <rule id="900839" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Add\-ConstrainedDelegationBackdoor\.ps1|Add\-Exfiltration\.ps1|Add\-Persistence\.ps1|Add\-RegBackdoor\.ps1|Add\-RemoteRegBackdoor\.ps1|Add\-ScrnSaveBackdoor\.ps1|Check\-VM\.ps1|ConvertTo\-ROT13\.ps1|Copy\-VSS\.ps1|Create\-MultipleSessions\.ps1|DNS_TXT_Pwnage\.ps1|dnscat2\.ps1|Do\-Exfiltration\.ps1|DomainPasswordSpray\.ps1|Download_Execute\.ps1|Download\-Execute\-PS\.ps1|Enabled\-DuplicateToken\.ps1|Enable\-DuplicateToken\.ps1|Execute\-Command\-MSSQL\.ps1|Execute\-DNSTXT\-Code\.ps1|Execute\-OnTime\.ps1|ExetoText\.ps1|Exploit\-Jboss\.ps1|Find\-AVSignature\.ps1|Find\-Fruit\.ps1|Find\-GPOLocation\.ps1|Find\-TrustedDocuments\.ps1|FireBuster\.ps1|FireListener\.ps1|Get\-ApplicationHost\.ps1|Get\-ChromeDump\.ps1|Get\-ClipboardContents\.ps1|Get\-ComputerDetail\.ps1|Get\-FoxDump\.ps1|Get\-GPPAutologon\.ps1|Get\-GPPPassword\.ps1|Get\-IndexedItem\.ps1|Get\-Keystrokes\.ps1|Get\-LSASecret\.ps1|Get\-MicrophoneAudio\.ps1|Get\-PassHashes\.ps1|Get\-PassHints\.ps1|Get\-RegAlwaysInstallElevated\.ps1|Get\-RegAutoLogon\.ps1|Get\-RickAstley\.ps1|Get\-Screenshot\.ps1|Get\-SecurityPackages\.ps1|Get\-ServiceFilePermission\.ps1|Get\-ServicePermission\.ps1|Get\-ServiceUnquoted\.ps1|Get\-SiteListPassword\.ps1|Get\-System\.ps1|Get\-TimedScreenshot\.ps1|Get\-UnattendedInstallFile\.ps1|Get\-Unconstrained\.ps1|Get\-USBKeystrokes\.ps1|Get\-VaultCredential\.ps1|Get\-VulnAutoRun\.ps1|Get\-VulnSchTask\.ps1|Get\-WebConfig\.ps1|Get\-WebCredentials\.ps1|Get\-WLAN\-Keys\.ps1|Gupt\-Backdoor\.ps1|HTTP\-Backdoor\.ps1|HTTP\-Login\.ps1|Install\-ServiceBinary\.ps1|Install\-SSP\.ps1|Invoke\-ACLScanner\.ps1|Invoke\-ADSBackdoor\.ps1|Invoke\-AmsiBypass\.ps1|Invoke\-ARPScan\.ps1|Invoke\-BackdoorLNK\.ps1|Invoke\-BadPotato\.ps1|Invoke\-BetterSafetyKatz\.ps1|Invoke\-BruteForce\.ps1|Invoke\-BypassUAC\.ps1|Invoke\-Carbuncle\.ps1|Invoke\-Certify\.ps1|Invoke\-ConPtyShell\.ps1|Invoke\-CredentialInjection\.ps1|Invoke\-CredentialsPhish\.ps1|Invoke\-DAFT\.ps1|Invoke\-DCSync\.ps1|Invoke\-Decode\.ps1|Invoke\-DinvokeKatz\.ps1|Invoke\-DllInjection\.ps1|Invoke\-DowngradeAccount\.ps1|Invoke\-EgressCheck\.ps1|Invoke\-Encode\.ps1|Invoke\-EventViewer\.ps1|Invoke\-Eyewitness\.ps1|Invoke\-FakeLogonScreen\.ps1|Invoke\-Farmer\.ps1|Invoke\-Get\-RBCD\-Threaded\.ps1|Invoke\-Gopher\.ps1|Invoke\-Grouper2\.ps1|Invoke\-Grouper3\.ps1|Invoke\-HandleKatz\.ps1|Invoke\-Interceptor\.ps1|Invoke\-Internalmonologue\.ps1|Invoke\-Inveigh\.ps1|Invoke\-InveighRelay\.ps1|Invoke\-JSRatRegsvr\.ps1|Invoke\-JSRatRundll\.ps1|Invoke\-KrbRelay\.ps1|Invoke\-KrbRelayUp\.ps1|Invoke\-LdapSignCheck\.ps1|Invoke\-Lockless\.ps1|Invoke\-MalSCCM\.ps1|Invoke\-Mimikatz\.ps1|Invoke\-MimikatzWDigestDowngrade\.ps1|Invoke\-Mimikittenz\.ps1|Invoke\-MITM6\.ps1|Invoke\-NanoDump\.ps1|Invoke\-NetRipper\.ps1|Invoke\-NetworkRelay\.ps1|Invoke\-NinjaCopy\.ps1|Invoke\-OxidResolver\.ps1|Invoke\-P0wnedshell\.ps1|Invoke\-P0wnedshellx86\.ps1|Invoke\-Paranoia\.ps1|Invoke\-PortScan\.ps1|Invoke\-PoshRatHttp\.ps1|Invoke\-PoshRatHttps\.ps1|Invoke\-PostExfil\.ps1|Invoke\-PowerDump\.ps1|Invoke\-PowerShellIcmp\.ps1|Invoke\-PowerShellTCP\.ps1|Invoke\-PowerShellTcpOneLine\.ps1|Invoke\-PowerShellTcpOneLineBind\.ps1|Invoke\-PowerShellUdp\.ps1|Invoke\-PowerShellUdpOneLine\.ps1|Invoke\-PowerShellWMI\.ps1|Invoke\-PowerThIEf\.ps1|Invoke\-PPLDump\.ps1|Invoke\-Prasadhak\.ps1|Invoke\-PsExec\.ps1|Invoke\-PsGcat\.ps1|Invoke\-PsGcatAgent\.ps1|Invoke\-PSInject\.ps1|Invoke\-PsUaCme\.ps1|Invoke\-ReflectivePEInjection\.ps1|Invoke\-ReverseDNSLookup\.ps1|Invoke\-Rubeus\.ps1|Invoke\-RunAs\.ps1|Invoke\-SafetyKatz\.ps1|Invoke\-SauronEye\.ps1|Invoke\-SCShell\.ps1|Invoke\-Seatbelt\.ps1|Invoke\-ServiceAbuse\.ps1|Invoke\-SessionGopher\.ps1|Invoke\-ShellCode\.ps1|Invoke\-SMBScanner\.ps1|Invoke\-Snaffler\.ps1|Invoke\-Spoolsample\.ps1|Invoke\-SSHCommand\.ps1|Invoke\-SSIDExfil\.ps1|Invoke\-StandIn\.ps1|Invoke\-StickyNotesExtract\.ps1|Invoke\-Tater\.ps1|Invoke\-Thunderfox\.ps1|Invoke\-ThunderStruck\.ps1|Invoke\-TokenManipulation\.ps1|Invoke\-Tokenvator\.ps1|Invoke\-TotalExec\.ps1|Invoke\-UrbanBishop\.ps1|Invoke\-UserHunter\.ps1|Invoke\-VoiceTroll\.ps1|Invoke\-Whisker\.ps1|Invoke\-WinEnum\.ps1|Invoke\-winPEAS\.ps1|Invoke\-WireTap\.ps1|Invoke\-WmiCommand\.ps1|Invoke\-WScriptBypassUAC\.ps1|Invoke\-Zerologon\.ps1|Keylogger\.ps1|MailRaider\.ps1|New\-HoneyHash\.ps1|OfficeMemScraper\.ps1|Offline_Winpwn\.ps1|Out\-CHM\.ps1|Out\-DnsTxt\.ps1|Out\-Excel\.ps1|Out\-HTA\.ps1|Out\-Java\.ps1|Out\-JS\.ps1|Out\-Minidump\.ps1|Out\-RundllCommand\.ps1|Out\-SCF\.ps1|Out\-SCT\.ps1|Out\-Shortcut\.ps1|Out\-WebQuery\.ps1|Out\-Word\.ps1|Parse_Keys\.ps1|Port\-Scan\.ps1|PowerBreach\.ps1|powercat\.ps1|PowerRunAsSystem\.psm1|PowerSharpPack\.ps1|PowerUp\.ps1|PowerUpSQL\.ps1|PowerView\.ps1|PSAsyncShell\.ps1|RemoteHashRetrieval\.ps1|Remove\-Persistence\.ps1|Remove\-PoshRat\.ps1|Remove\-Update\.ps1|Run\-EXEonRemote\.ps1|Schtasks\-Backdoor\.ps1|Set\-DCShadowPermissions\.ps1|Set\-MacAttribute\.ps1|Set\-RemotePSRemoting\.ps1|Set\-RemoteWMI\.ps1|Set\-Wallpaper\.ps1|Show\-TargetScreen\.ps1|Speak\.ps1|Start\-CaptureServer\.ps1|Start\-WebcamRecorder\.ps1|StringToBase64\.ps1|TexttoExe\.ps1|VolumeShadowCopyTools\.ps1|WinPwn\.ps1|WSUSpendu\.ps1</field>
    </rule>
    <rule id="900840" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Scripts - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Invoke\-Sharp</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\.ps1</field>
    </rule>
    <rule id="900841" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Get-ADDBAccount Usage</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Get\-ADDBAccount</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:BootKey\ )</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:DatabasePath\ )</field>
    </rule>
    <rule id="900842" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1115</id>
        </mitre>
        <description>PowerShell Get Clipboard</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Get\-Clipboard</field>
    </rule>
    <rule id="900843" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&amp;&amp;.+clipboard]::\(\s\\+"\{\d\}.+-f.+"</field>
    </rule>
    <rule id="900844" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$env:ComSpec\[(\s*\d{1,3}\s*,){2}</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).+mdr.+\W\s*\)\.Name</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\$VerbosePreference\.ToString\(</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\[String\]\s*\$VerbosePreference</field>
    </rule>
    <rule id="900845" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation STDIN+ Launcher - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"</field>
    </rule>
    <rule id="900846" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\+"\s+?-f(?:.*\)){1,}.*"</field>
    </rule>
    <rule id="900847" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:readtoend)$</field>
    </rule>
    <rule id="900848" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900849" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*(set).*&amp;&amp;\s?set.*(environment|invoke|\$?\{?input).*&amp;&amp;.*"</field>
    </rule>
    <rule id="900850" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*?echo.*clip.*&amp;&amp;.*(Clipboard|i`?n`?v`?o`?k`?e`?).*</field>
    </rule>
    <rule id="900851" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)$window\.close$</field>
    </rule>
    <rule id="900852" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900853" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i).*&amp;&amp;set.*(\{\d\}){2,}\\+"\s+?-f.*&amp;&amp;.*cmd.*/c</field>
    </rule>
    <rule id="900854" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
            <id>attack.t1087</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.t1069</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Commandlets - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Add\-Exfiltration|Add\-Persistence|Add\-RegBackdoor|Add\-RemoteRegBackdoor|Add\-ScrnSaveBackdoor|Check\-VM|ConvertTo\-Rc4ByteStream|Decrypt\-Hash|Disable\-ADIDNSNode|Disable\-MachineAccount|Do\-Exfiltration|Enable\-ADIDNSNode|Enable\-MachineAccount|Enabled\-DuplicateToken|Exploit\-Jboss|Export\-ADR|Export\-ADRCSV|Export\-ADRExcel|Export\-ADRHTML|Export\-ADRJSON|Export\-ADRXML|Find\-Fruit|Find\-GPOLocation|Find\-TrustedDocuments|Get\-ADIDNS|Get\-ApplicationHost|Get\-ChromeDump|Get\-ClipboardContents|Get\-FoxDump|Get\-GPPPassword|Get\-IndexedItem|Get\-KerberosAESKey|Get\-Keystrokes|Get\-LSASecret|Get\-MachineAccountAttribute|Get\-MachineAccountCreator|Get\-PassHashes|Get\-RegAlwaysInstallElevated|Get\-RegAutoLogon|Get\-RemoteBootKey|Get\-RemoteCachedCredential|Get\-RemoteLocalAccountHash|Get\-RemoteLSAKey|Get\-RemoteMachineAccountHash|Get\-RemoteNLKMKey|Get\-RickAstley|Get\-Screenshot|Get\-SecurityPackages|Get\-ServiceFilePermission|Get\-ServicePermission|Get\-ServiceUnquoted|Get\-SiteListPassword|Get\-System|Get\-TimedScreenshot|Get\-UnattendedInstallFile|Get\-Unconstrained|Get\-USBKeystrokes|Get\-VaultCredential|Get\-VulnAutoRun|Get\-VulnSchTask|Grant\-ADIDNSPermission|Gupt\-Backdoor|HTTP\-Login|Install\-ServiceBinary|Install\-SSP|Invoke\-ACLScanner|Invoke\-ADRecon|Invoke\-ADSBackdoor|Invoke\-AgentSmith|Invoke\-AllChecks|Invoke\-ARPScan|Invoke\-AzureHound|Invoke\-BackdoorLNK|Invoke\-BadPotato|Invoke\-BetterSafetyKatz|Invoke\-BypassUAC|Invoke\-Carbuncle|Invoke\-Certify|Invoke\-ConPtyShell|Invoke\-CredentialInjection|Invoke\-DAFT|Invoke\-DCSync|Invoke\-DinvokeKatz|Invoke\-DllInjection|Invoke\-DNSUpdate|Invoke\-DomainPasswordSpray|Invoke\-DowngradeAccount|Invoke\-EgressCheck|Invoke\-Eyewitness|Invoke\-FakeLogonScreen|Invoke\-Farmer|Invoke\-Get\-RBCD\-Threaded|Invoke\-Gopher|Invoke\-Grouper|Invoke\-HandleKatz|Invoke\-ImpersonatedProcess|Invoke\-ImpersonateSystem|Invoke\-InteractiveSystemPowerShell|Invoke\-Internalmonologue|Invoke\-Inveigh|Invoke\-InveighRelay|Invoke\-KrbRelay|Invoke\-LdapSignCheck|Invoke\-Lockless|Invoke\-MalSCCM|Invoke\-Mimikatz|Invoke\-Mimikittenz|Invoke\-MITM6|Invoke\-NanoDump|Invoke\-NetRipper|Invoke\-Nightmare|Invoke\-NinjaCopy|Invoke\-OfficeScrape|Invoke\-OxidResolver|Invoke\-P0wnedshell|Invoke\-Paranoia|Invoke\-PortScan|Invoke\-PoshRatHttp|Invoke\-PostExfil|Invoke\-PowerDump|Invoke\-PowerShellTCP|Invoke\-PowerShellWMI|Invoke\-PPLDump|Invoke\-PsExec|Invoke\-PSInject|Invoke\-PsUaCme|Invoke\-ReflectivePEInjection|Invoke\-ReverseDNSLookup|Invoke\-Rubeus|Invoke\-RunAs|Invoke\-SafetyKatz|Invoke\-SauronEye|Invoke\-SCShell|Invoke\-Seatbelt|Invoke\-ServiceAbuse|Invoke\-ShadowSpray|Invoke\-Sharp|Invoke\-Shellcode|Invoke\-SMBScanner|Invoke\-Snaffler|Invoke\-Spoolsample|Invoke\-SpraySinglePassword|Invoke\-SSHCommand|Invoke\-StandIn|Invoke\-StickyNotesExtract|Invoke\-SystemCommand|Invoke\-Tasksbackdoor|Invoke\-Tater|Invoke\-Thunderfox|Invoke\-ThunderStruck|Invoke\-TokenManipulation|Invoke\-Tokenvator|Invoke\-TotalExec|Invoke\-UrbanBishop|Invoke\-UserHunter|Invoke\-VoiceTroll|Invoke\-Whisker|Invoke\-WinEnum|Invoke\-winPEAS|Invoke\-WireTap|Invoke\-WmiCommand|Invoke\-WMIExec|Invoke\-WScriptBypassUAC|Invoke\-Zerologon|MailRaider|New\-ADIDNSNode|New\-DNSRecordArray|New\-HoneyHash|New\-InMemoryModule|New\-MachineAccount|New\-SOASerialNumberArray|Out\-Minidump|Port\-Scan|PowerBreach|powercat\ |PowerUp|PowerView|Remove\-ADIDNSNode|Remove\-MachineAccount|Remove\-Update|Rename\-ADIDNSNode|Revoke\-ADIDNSPermission|Set\-ADIDNSNode|Set\-MacAttribute|Set\-MachineAccountAttribute|Set\-Wallpaper|Show\-TargetScreen|Start\-CaptureServer|Start\-Dnscat2|Start\-WebcamRecorder|VolumeShadowCopyTools</field>
    </rule>
    <rule id="900855" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)ModuleContents=function\ Get\-VMRemoteFXPhysicalVideoAdapter\ \{</field>
    </rule>
    <rule id="900856" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Remote PowerShell Session (PS Module)</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ =\ ServerRemoteHost\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)wsmprovhost\.exe</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)\\+Windows\\+system32\\+WindowsPowerShell\\+v1\.0\\+Modules\\+Microsoft\.PowerShell\.Archive\\+Microsoft\.PowerShell\.Archive\.psm1</field>
    </rule>
    <rule id="900857" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-ADPrincipalGroupMembership</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-ADPrincipalGroupMembership</field>
    </rule>
    <rule id="900858" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - PoshModule</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-aduser</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:\-f\ )</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)(?:\-pr\ )</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)DoesNotRequirePreAuth</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-aduser</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\-f\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\-pr\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)DoesNotRequirePreAuth</field>
    </rule>
    <rule id="900859" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1049</id>
        </mitre>
        <description>Use Get-NetTCPConnection - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Get\-NetTCPConnection</field>
    </rule>
    <rule id="900860" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\[Convert\]::FromBase64String</field>
    </rule>
    <rule id="900861" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-noni</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)New\-Object</field>
    </rule>
    <rule id="900862" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-ep</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-Enc</field>
    </rule>
    <rule id="900863" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)add</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)HKCU\\+software\\+microsoft\\+windows\\+currentversion\\+run</field>
    </rule>
    <rule id="900864" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-noprofile</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\-windowstyle</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)system\.net\.webclient</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\.download</field>
    </rule>
    <rule id="900865" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Net\.WebClient</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)\.Download</field>
    </rule>
    <rule id="900866" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString\('https://community\.chocolatey\.org/install\.ps1</field>
        <field name="win.system.contextInfo" negate="yes" type="pcre2">(?i)Write\-ChocolateyWarning</field>
    </rule>
    <rule id="900867" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-localgroup|Get\-LocalGroupMember</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-localgroup|Get\-LocalGroupMember</field>
    </rule>
    <rule id="900868" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Get\-WMIObject</field>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)Win32_Group</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Get\-WMIObject</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Win32_Group</field>
    </rule>
    <rule id="900869" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Suspicious Computer Machine Password by PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Reset\-ComputerMachinePassword</field>
    </rule>
    <rule id="900870" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Information for SMB Share - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)get\-smbshare</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)get\-smbshare</field>
    </rule>
    <rule id="900871" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Zip A Folder With PowerShell For Staging In Temp  - PowerShell Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="900872" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>SyncAppvPublishingServer Bypass Powershell Restriction - PS Module</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.contextInfo" negate="no" type="pcre2">(?i)SyncAppvPublishingServer\.exe</field>
    </rule>
    <rule id="900873" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.reconnaissance</id>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.impact</id>
        </mitre>
        <description>AADInternals PowerShell Cmdlets Execution - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-AADInt|ConvertTo\-AADInt|Disable\-AADInt|Enable\-AADInt|Export\-AADInt|Get\-AADInt|Grant\-AADInt|Install\-AADInt|Invoke\-AADInt|Join\-AADInt|New\-AADInt|Open\-AADInt|Read\-AADInt|Register\-AADInt|Remove\-AADInt|Restore\-AADInt|Search\-AADInt|Send\-AADInt|Set\-AADInt|Start\-AADInt|Update\-AADInt</field>
    </rule>
    <rule id="900874" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.discovery</id>
            <id>attack.impact</id>
        </mitre>
        <description>Potential Active Directory Enumeration Using AD Module - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Import\-Module\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Microsoft\.ActiveDirectory\.Management\.dll</field>
    </rule>
    <rule id="900875" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.discovery</id>
            <id>attack.impact</id>
        </mitre>
        <description>Potential Active Directory Enumeration Using AD Module - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ipmo\ Microsoft\.ActiveDirectory\.Management\.dll</field>
    </rule>
    <rule id="900876" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1565</id>
        </mitre>
        <description>Powershell Add Name Resolution Policy Table Rule</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-DnsClientNrptRule</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Namesp</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-NameSe</field>
    </rule>
    <rule id="900877" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell ADRecon Execution</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Function\ Get\-ADRExcelComOb|Get\-ADRGPO|Get\-ADRDomainController|ADRecon\-Report\.xlsx</field>
    </rule>
    <rule id="900878" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.execution</id>
        </mitre>
        <description>AMSI Bypass Pattern Assembly GetType</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Ref\]\.Assembly\.GetType</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SetValue$\$null,\$true$</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)NonPublic,Static</field>
    </rule>
    <rule id="900879" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Script Using NULL Bits</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)if$0$\{\{\{0\}\}\}'\ \-f\ \$$0\ \-as\ \[char\]$\ \+|\#&lt;NULL&gt;</field>
    </rule>
    <rule id="900880" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
            <id>attack.t1572</id>
            <id>attack.impact</id>
            <id>attack.t1529</id>
            <id>attack.g0091</id>
            <id>attack.s0363</id>
        </mitre>
        <description>Silence.EDA Detection</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Diagnostics\.Process</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Stop\-Computer</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Restart\-Computer</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Exception\ in\ execution</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$cmdargs</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Close\-Dnscat2Tunnel</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)set\ type=\$LookupType`nserver</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$Command\ \|\ nslookup\ 2&gt;\&amp;1\ \|\ Out\-String</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-RandomDNSField</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Convert\]::ToString$\$SYNOptions,\ 16$</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$Session\.Dead\ =\ \$True</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$Session\["Driver"\]\ \-eq</field>
    </rule>
    <rule id="900881" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>Get-ADUser Enumeration Using UserAccountControl Flags</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ADUser</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Filter</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)useraccountcontrol</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-band</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)4194304</field>
    </rule>
    <rule id="900882" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Potential Data Exfiltration Via Audio File</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Math\]::</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[IO\.FileMode\]::</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)BinaryWriter</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x52</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x49</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x46</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x57</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x41</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x56</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x45</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0xAC</field>
    </rule>
    <rule id="900883" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1113</id>
        </mitre>
        <description>Windows Screen Capture with CopyFromScreen</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.CopyFromScreen</field>
    </rule>
    <rule id="900884" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clearing Windows Console History</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Clear\-History</field>
    </rule>
    <rule id="900885" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clearing Windows Console History</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-Item|rm</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ConsoleHost_history\.txt|$Get\-PSReadlineOption$\.HistorySavePath</field>
    </rule>
    <rule id="900886" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)вЂ“HistorySaveStyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900887" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Clear PowerShell History - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-PSReadlineOption</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-HistorySaveStyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SaveNothing</field>
    </rule>
    <rule id="900888" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Powershell Create Scheduled Task</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-ScheduledTaskAction|New\-ScheduledTaskTrigger|New\-ScheduledTaskPrincipal|New\-ScheduledTaskSettingsSet|New\-ScheduledTask|Register\-ScheduledTask</field>
    </rule>
    <rule id="900889" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Powershell Create Scheduled Task</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-CimMethod</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-ClassName</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PS_ScheduledTask</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-NameSpace</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Root\\+Microsoft\\+Windows\\+TaskScheduler</field>
    </rule>
    <rule id="900890" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-ADComputer\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Filter\ \\+.+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \|\ Select\ |Out\-File|Set\-Content|Add\-Content</field>
    </rule>
    <rule id="900891" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1556.002</id>
        </mitre>
        <description>Powershell Install a DLL in System Directory</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\+Windows\\+(System32|SysWOW64)</field>
    </rule>
    <rule id="900892" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1574.012</id>
        </mitre>
        <description>Registry-Free Process Scope COR_PROFILER</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:COR_ENABLE_PROFILING</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:COR_PROFILER</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:COR_PROFILER_PATH</field>
    </rule>
    <rule id="900893" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>PowerShell Create Local User</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-LocalUser</field>
    </rule>
    <rule id="900894" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Create Volume Shadow Copy with Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)win32_shadowcopy</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\)\.Create\(</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ClientAccessible</field>
    </rule>
    <rule id="900895" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
        </mitre>
        <description>DirectorySearcher Powershell Exploitation</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:New\-Object\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.DirectoryServices\.DirectorySearcher</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.PropertiesToLoad\.Add</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.findall</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Properties\.name</field>
    </rule>
    <rule id="900896" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.002</id>
        </mitre>
        <description>Manipulation of User Computer or Group Security Principals Across AD</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.DirectoryServices\.AccountManagement</field>
    </rule>
    <rule id="900897" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Disable Powershell Command History</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-Module</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)psreadline</field>
    </rule>
    <rule id="900898" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1620</id>
        </mitre>
        <description>Potential In-Memory Execution Using Reflection.Assembly</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Reflection\.Assembly\]::load</field>
    </rule>
    <rule id="900899" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>Dump Credentials from Windows Credential Manager With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-PasswordVaultCredentials|Get\-CredManCreds</field>
    </rule>
    <rule id="900900" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>Dump Credentials from Windows Credential Manager With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Windows\.Security\.Credentials\.PasswordVault</field>
    </rule>
    <rule id="900901" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>Dump Credentials from Windows Credential Manager With PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Microsoft\.CSharp\.CSharpCodeProvider</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Runtime\.InteropServices\.RuntimeEnvironment\]::GetRuntimeDirectory\)</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Collections\.ArrayList</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.CodeDom\.Compiler\.CompilerParameters</field>
    </rule>
    <rule id="900902" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Enable Windows Remote Management</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Enable\-PSRemoting\ )</field>
    </rule>
    <rule id="900903" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Remove\-EtwTraceProvider\ )</field>
    </rule>
    <rule id="900904" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-EtwTraceProvider\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)0x11</field>
    </rule>
    <rule id="900905" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Suspicious PowerShell Mailbox SMTP Forward Rule</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Mailbox\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-DeliverToMailboxAndForward\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-ForwardingSmtpAddress\ )</field>
    </rule>
    <rule id="900906" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Certificate Exported Via PowerShell - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Export\-PfxCertificate|Export\-Certificate</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)CmdletsToExport\ =\ @\(</field>
    </rule>
    <rule id="900907" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>Suspicious FromBase64String Usage On Gzip Archive - Ps Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)FromBase64String</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)MemoryStream</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)H4sI</field>
    </rule>
    <rule id="900908" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1574.011</id>
            <id>stp.2a</id>
        </mitre>
        <description>Service Registry Permissions Weakness Check</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-acl</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)REGISTRY::HKLM\\+SYSTEM\\+CurrentControlSet\\+Services\\+</field>
    </rule>
    <rule id="900909" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Active Directory Group Enumeration With Get-AdGroup</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-AdGroup\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Filter</field>
    </rule>
    <rule id="900910" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>Suspicious Get-ADReplAccount</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ADReplAccount</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-All\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Server\ )</field>
    </rule>
    <rule id="900911" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1217</id>
        </mitre>
        <description>Automated Collection Bookmarks Using Get-ChildItem PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ChildItem</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-Recurse\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-Path\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Filter\ Bookmarks</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-ErrorAction\ SilentlyContinue</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Force</field>
    </rule>
    <rule id="900912" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - Rubeus Execution - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)asreproast\ |dump\ /service:krbtgt\ |dump\ /luid:0x|kerberoast\ |createnetonly\ /program:|ptt\ /ticket:|/impersonateuser:|renew\ /ticket:|asktgt\ /user:|harvest\ /interval:|s4u\ /user:|s4u\ /ticket:|hash\ /password:|golden\ /aes256:|silver\ /user:</field>
    </rule>
    <rule id="900913" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1046</id>
            <id>attack.t1082</id>
            <id>attack.t1106</id>
            <id>attack.t1518</id>
            <id>attack.t1548.002</id>
            <id>attack.t1552.001</id>
            <id>attack.t1555</id>
            <id>attack.t1555.003</id>
        </mitre>
        <description>HackTool - WinPwn Execution - ScriptBlock</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Offline_Winpwn|WinPwn\ |WinPwn\.exe|WinPwn\.ps1</field>
    </rule>
    <rule id="900914" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>PowerShell Hotfix Enumeration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_QuickFixEngineering</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)HotFixID</field>
    </rule>
    <rule id="900915" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>PowerShell ICMP Exfiltration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.NetworkInformation\.Ping</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.Send\(</field>
    </rule>
    <rule id="900916" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Import PowerShell Modules From Suspicious Directories</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Import\-Module\ "\$Env:Temp\\+|Import\-Module\ '\$Env:Temp\\+|Import\-Module\ \$Env:Temp\\+|Import\-Module\ "\$Env:Appdata\\+|Import\-Module\ '\$Env:Appdata\\+|Import\-Module\ \$Env:Appdata\\+|Import\-Module\ C:\\+Users\\+Public\\+|ipmo\ "\$Env:Temp\\+|ipmo\ '\$Env:Temp\\+|ipmo\ \$Env:Temp\\+|ipmo\ "\$Env:Appdata\\+|ipmo\ '\$Env:Appdata\\+|ipmo\ \$Env:Appdata\\+|ipmo\ C:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="900917" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Execute Invoke-command on Remote Host</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:invoke\-command\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-ComputerName\ )</field>
    </rule>
    <rule id="900918" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Powershell DNSExfiltration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-DNSExfiltrator</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-i\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-d\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-doh\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-t\ )</field>
    </rule>
    <rule id="900919" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&amp;&amp;.+clipboard]::\(\s\\+"\{\d\}.+-f.+"</field>
    </rule>
    <rule id="900920" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$env:ComSpec\[(\s*\d{1,3}\s*,){2}</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).+mdr.+\W\s*\)\.Name</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$VerbosePreference\.ToString\(</field>
    </rule>
    <rule id="900921" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation STDIN+ Launcher - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"</field>
    </rule>
    <rule id="900922" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\+"\s+?-f(?:.*\)){1,}.*"</field>
    </rule>
    <rule id="900923" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:readtoend)$</field>
    </rule>
    <rule id="900924" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)powershell</field>
    </rule>
    <rule id="900925" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*(set).*&amp;&amp;\s?set.*(environment|invoke|\$\{?input).*&amp;&amp;.*"</field>
    </rule>
    <rule id="900926" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*?echo.*clip.*&amp;&amp;.*(Clipboard|i`?n`?v`?o`?k`?e`?).*</field>
    </rule>
    <rule id="900927" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)$window\.close$</field>
    </rule>
    <rule id="900928" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Rundll32 - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)shellexec_rundll</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)value|invoke|comspec|iex</field>
    </rule>
    <rule id="900929" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i).*&amp;&amp;set.*(\{\d\}){2,}\\+"\s+?-f.*&amp;&amp;.*cmd.*/c</field>
    </rule>
    <rule id="900930" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1056.001</id>
        </mitre>
        <description>Powershell Keylogging</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Keystrokes</field>
    </rule>
    <rule id="900931" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1056.001</id>
        </mitre>
        <description>Powershell Keylogging</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ProcAddress\ user32\.dll\ GetAsyncKeyState</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ProcAddress\ user32\.dll\ GetForegroundWindow</field>
    </rule>
    <rule id="900932" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1098</id>
        </mitre>
        <description>Powershell LocalAccount Manipulation</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Disable\-LocalUser|Enable\-LocalUser|Get\-LocalUser|Set\-LocalUser|New\-LocalUser|Rename\-LocalUser|Remove\-LocalUser</field>
    </rule>
    <rule id="900933" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Suspicious PowerShell Mailbox Export to Share - PS</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-MailboxExportRequest</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-Mailbox\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-FilePath\ \\+</field>
    </rule>
    <rule id="900934" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
            <id>attack.t1087</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.t1069</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Commandlets - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-Exfiltration|Add\-Persistence|Add\-RegBackdoor|Add\-RemoteRegBackdoor|Add\-ScrnSaveBackdoor|ConvertTo\-Rc4ByteStream|Decrypt\-Hash|Disable\-ADIDNSNode|Do\-Exfiltration|Enable\-ADIDNSNode|Enabled\-DuplicateToken|Exploit\-Jboss|Export\-ADRCSV|Export\-ADRExcel|Export\-ADRHTML|Export\-ADRJSON|Export\-ADRXML|Find\-Fruit|Find\-GPOLocation|Find\-TrustedDocuments|Get\-ADIDNSNodeAttribute|Get\-ADIDNSNodeOwner|Get\-ADIDNSNodeTombstoned|Get\-ADIDNSPermission|Get\-ADIDNSZone|Get\-ChromeDump|Get\-ClipboardContents|Get\-FoxDump|Get\-GPPPassword|Get\-IndexedItem|Get\-KerberosAESKey|Get\-Keystrokes|Get\-LSASecret|Get\-PassHashes|Get\-RegAlwaysInstallElevated|Get\-RegAutoLogon|Get\-RemoteBootKey|Get\-RemoteCachedCredential|Get\-RemoteLocalAccountHash|Get\-RemoteLSAKey|Get\-RemoteMachineAccountHash|Get\-RemoteNLKMKey|Get\-RickAstley|Get\-SecurityPackages|Get\-ServiceFilePermission|Get\-ServicePermission|Get\-ServiceUnquoted|Get\-SiteListPassword|Get\-System|Get\-TimedScreenshot|Get\-UnattendedInstallFile|Get\-Unconstrained|Get\-USBKeystrokes|Get\-VaultCredential|Get\-VulnAutoRun|Get\-VulnSchTask|Grant\-ADIDNSPermission|Gupt\-Backdoor|Invoke\-ACLScanner|Invoke\-ADRecon|Invoke\-ADSBackdoor|Invoke\-AgentSmith|Invoke\-AllChecks|Invoke\-ARPScan|Invoke\-AzureHound|Invoke\-BackdoorLNK|Invoke\-BadPotato|Invoke\-BetterSafetyKatz|Invoke\-BypassUAC|Invoke\-Carbuncle|Invoke\-Certify|Invoke\-ConPtyShell|Invoke\-CredentialInjection|Invoke\-DAFT|Invoke\-DCSync|Invoke\-DinvokeKatz|Invoke\-DllInjection|Invoke\-DNSUpdate|Invoke\-DomainPasswordSpray|Invoke\-DowngradeAccount|Invoke\-EgressCheck|Invoke\-Eyewitness|Invoke\-FakeLogonScreen|Invoke\-Farmer|Invoke\-Get\-RBCD\-Threaded|Invoke\-Gopher|Invoke\-Grouper|Invoke\-HandleKatz|Invoke\-ImpersonatedProcess|Invoke\-ImpersonateSystem|Invoke\-InteractiveSystemPowerShell|Invoke\-Internalmonologue|Invoke\-Inveigh|Invoke\-InveighRelay|Invoke\-KrbRelay|Invoke\-LdapSignCheck|Invoke\-Lockless|Invoke\-MalSCCM|Invoke\-Mimikatz|Invoke\-Mimikittenz|Invoke\-MITM6|Invoke\-NanoDump|Invoke\-NetRipper|Invoke\-Nightmare|Invoke\-NinjaCopy|Invoke\-OfficeScrape|Invoke\-OxidResolver|Invoke\-P0wnedshell|Invoke\-Paranoia|Invoke\-PortScan|Invoke\-PoshRatHttp|Invoke\-PostExfil|Invoke\-PowerDump|Invoke\-PowerShellTCP|Invoke\-PowerShellWMI|Invoke\-PPLDump|Invoke\-PsExec|Invoke\-PSInject|Invoke\-PsUaCme|Invoke\-ReflectivePEInjection|Invoke\-ReverseDNSLookup|Invoke\-Rubeus|Invoke\-RunAs|Invoke\-SafetyKatz|Invoke\-SauronEye|Invoke\-SCShell|Invoke\-Seatbelt|Invoke\-ServiceAbuse|Invoke\-ShadowSpray|Invoke\-Sharp|Invoke\-Shellcode|Invoke\-SMBScanner|Invoke\-Snaffler|Invoke\-Spoolsample|Invoke\-SpraySinglePassword|Invoke\-SSHCommand|Invoke\-StandIn|Invoke\-StickyNotesExtract|Invoke\-SystemCommand|Invoke\-Tasksbackdoor|Invoke\-Tater|Invoke\-Thunderfox|Invoke\-ThunderStruck|Invoke\-TokenManipulation|Invoke\-Tokenvator|Invoke\-TotalExec|Invoke\-UrbanBishop|Invoke\-UserHunter|Invoke\-VoiceTroll|Invoke\-Whisker|Invoke\-WinEnum|Invoke\-winPEAS|Invoke\-WireTap|Invoke\-WmiCommand|Invoke\-WMIExec|Invoke\-WScriptBypassUAC|Invoke\-Zerologon|MailRaider|New\-ADIDNSNode|New\-HoneyHash|New\-InMemoryModule|New\-SOASerialNumberArray|Out\-Minidump|PowerBreach|powercat\ |PowerUp|PowerView|Remove\-ADIDNSNode|Remove\-Update|Rename\-ADIDNSNode|Revoke\-ADIDNSPermission|Set\-ADIDNSNode|Show\-TargetScreen|Start\-CaptureServer|Start\-Dnscat2|Start\-WebcamRecorder|VolumeShadowCopyTools</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)Get\-SystemDriveInfo</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Amazon\\+EC2\-Windows\\+Launch\\+Module\\+</field>
    </rule>
    <rule id="900935" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Keywords</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)AdjustTokenPrivileges|IMAGE_NT_OPTIONAL_HDR64_MAGIC|Metasploit|Microsoft\.Win32\.UnsafeNativeMethods|Mimikatz|MiniDumpWriteDump|PAGE_EXECUTE_READ|ReadProcessMemory\.Invoke|SE_PRIVILEGE_ENABLED|SECURITY_DELEGATION|TOKEN_ADJUST_PRIVILEGES|TOKEN_ALL_ACCESS|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_ELEVATION|TOKEN_IMPERSONATE|TOKEN_INFORMATION_CLASS|TOKEN_PRIVILEGES|TOKEN_QUERY</field>
    </rule>
    <rule id="900936" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1003</id>
        </mitre>
        <description>Live Memory Dump Using Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-StorageDiagnosticInfo</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-IncludeLiveDump</field>
    </rule>
    <rule id="900937" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Powershell MsXml COM Object</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-ComObject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)MsXml2\.</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)XmlHttp</field>
    </rule>
    <rule id="900938" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious Nishang PowerShell Commandlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Add\-ConstrainedDelegationBackdoor|Copy\-VSS|Create\-MultipleSessions|DataToEncode|DNS_TXT_Pwnage|Do\-Exfiltration\-Dns|Download_Execute|Download\-Execute\-PS|DownloadAndExtractFromRemoteRegistry|DumpCerts|DumpCreds|DumpHashes|Enable\-DuplicateToken|Enable\-Duplication|Execute\-Command\-MSSQL|Execute\-DNSTXT\-Code|Execute\-OnTime|ExetoText|exfill|ExfilOption|FakeDC|FireBuster|FireListener|Get\-Information\ |Get\-PassHints|Get\-Web\-Credentials|Get\-WebCredentials|Get\-WLAN\-Keys|HTTP\-Backdoor|Invoke\-AmsiBypass|Invoke\-BruteForce|Invoke\-CredentialsPhish|Invoke\-Decode|Invoke\-Encode|Invoke\-Interceptor|Invoke\-JSRatRegsvr|Invoke\-JSRatRundll|Invoke\-MimikatzWDigestDowngrade|Invoke\-NetworkRelay|Invoke\-PowerShellIcmp|Invoke\-PowerShellUdp|Invoke\-Prasadhak|Invoke\-PSGcat|Invoke\-PsGcatAgent|Invoke\-SessionGopher|Invoke\-SSIDExfil|LoggedKeys|Nishang|NotAllNameSpaces|Out\-CHM|OUT\-DNSTXT|Out\-HTA|Out\-RundllCommand|Out\-SCF|Out\-SCT|Out\-Shortcut|Out\-WebQuery|Out\-Word|Parse_Keys|Password\-List|Powerpreter|Remove\-Persistence|Remove\-PoshRat|Remove\-Update|Run\-EXEonRemote|Set\-DCShadowPermissions|Set\-RemotePSRemoting|Set\-RemoteWMI|Shellcode32|Shellcode64|StringtoBase64|TexttoExe</field>
    </rule>
    <rule id="900939" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Code Executed Via Office Add-in XLL File</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:new\-object\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ComObject\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.application</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.RegisterXLL</field>
    </rule>
    <rule id="900940" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Invoke-Mimikatz PowerShell Script</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DumpCreds</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DumpCerts</field>
    </rule>
    <rule id="900941" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Invoke-Mimikatz PowerShell Script</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)sekurlsa::logonpasswords</field>
    </rule>
    <rule id="900942" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Invoke-Mimikatz PowerShell Script</description>
        <options>no_full_log</options>
        <group>ps_script,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)crypto::certificates</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)CERT_SYSTEM_STORE_LOCAL_MACHINE</field>
    </rule>
    <rule id="900943" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerView PowerShell Cmdlets - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Export\-PowerViewCSV|Find\-DomainLocalGroupMember|Find\-DomainObjectPropertyOutlier|Find\-DomainProcess|Find\-DomainShare|Find\-DomainUserEvent|Find\-DomainUserLocation|Find\-ForeignGroup|Find\-ForeignUser|Find\-GPOComputerAdmin|Find\-GPOLocation|Find\-InterestingDomain|Find\-InterestingFile|Find\-LocalAdminAccess|Find\-ManagedSecurityGroups|Get\-CachedRDPConnection|Get\-DFSshare|Get\-DomainDFSShare|Get\-DomainDNSRecord|Get\-DomainDNSZone|Get\-DomainFileServer|Get\-DomainGPOComputerLocalGroupMapping|Get\-DomainGPOLocalGroup|Get\-DomainGPOUserLocalGroupMapping|Get\-LastLoggedOn|Get\-LoggedOnLocal|Get\-NetFileServer|Get\-NetForest|Get\-NetGPOGroup|Get\-NetProcess|Get\-NetRDPSession|Get\-RegistryMountedDrive|Get\-RegLoggedOn|Get\-WMIRegCachedRDPConnection|Get\-WMIRegLastLoggedOn|Get\-WMIRegMountedDrive|Get\-WMIRegProxy|Invoke\-ACLScanner|Invoke\-CheckLocalAdminAccess|Invoke\-EnumerateLocalAdmin|Invoke\-EventHunter|Invoke\-FileFinder|Invoke\-Kerberoast|Invoke\-MapDomainTrust|Invoke\-ProcessHunter|Invoke\-RevertToSelf|Invoke\-ShareFinder|Invoke\-UserHunter|Invoke\-UserImpersonation|Remove\-RemoteConnection|Request\-SPNTicket|Resolve\-IPAddress</field>
    </rule>
    <rule id="900944" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Credential Prompt</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PromptForCredential</field>
    </rule>
    <rule id="900945" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PSAsyncShell - Asynchronous TCP Reverse Shell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PSAsyncShell</field>
    </rule>
    <rule id="900946" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell PSAttack</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PS\ ATTACK!!!</field>
    </rule>
    <rule id="900947" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)^(?:function\ Get\-VMRemoteFXPhysicalVideoAdapter\ \{)</field>
    </rule>
    <rule id="900948" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Remote Session Creation</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-PSSession</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ComputerName\ )</field>
    </rule>
    <rule id="900949" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>Request A Single Ticket via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.IdentityModel\.Tokens\.KerberosRequestorSecurityToken</field>
    </rule>
    <rule id="900950" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1020</id>
        </mitre>
        <description>PowerShell Script With File Hostname Resolving Capabilities</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-content\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)foreach</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Net\.Dns\]::GetHostEntry</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Out\-File</field>
    </rule>
    <rule id="900951" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Root Certificate Installed - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Move\-Item</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Cert:\\+LocalMachine\\+Root</field>
    </rule>
    <rule id="900952" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Root Certificate Installed - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Import\-Certificate</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Cert:\\+LocalMachine\\+Root</field>
    </rule>
    <rule id="900953" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.005</id>
        </mitre>
        <description>Suspicious Invoke-Item From Mount-DiskImage</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Mount\-DiskImage\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ImagePath\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Volume</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.DriveLetter</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:invoke\-item\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\):\\+</field>
    </rule>
    <rule id="900954" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
        </mitre>
        <description>Powershell Exfiltration Over SMTP</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Send\-MailMessage</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)CmdletsToExport</field>
    </rule>
    <rule id="900955" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1222</id>
        </mitre>
        <description>PowerShell Script Change Permission Via Set-Acl - PsScript</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Acl\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-AclObject\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Path\ )</field>
    </rule>
    <rule id="900956" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Change PowerShell Policies to an Insecure Level - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-ExecutionPolicy</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Unrestricted|bypass</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://community\.chocolatey\.org/install\.ps1'$</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://chocolatey\.org/install\.ps1'$</field>
    </rule>
    <rule id="900957" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell ShellCode</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OiCAAAAYInlM|OiJAAAAYInlM</field>
    </rule>
    <rule id="900958" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious ShellIntel PowerShell Commandlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-SMBAutoBrute|Invoke\-GPOLinks|Invoke\-Potato</field>
    </rule>
    <rule id="900959" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1518</id>
        </mitre>
        <description>Detected Windows Software Discovery - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-itemProperty</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+software\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)select\-object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)format\-table</field>
    </rule>
    <rule id="900960" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Powershell Store File In Alternate Data Stream</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Start\-Process</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-FilePath\ "\$env:comspec"\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ArgumentList\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)&gt;</field>
    </rule>
    <rule id="900961" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Potential Persistence Via Security Descriptors - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)win32_Trustee</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)win32_Ace</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.AccessMask</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.AceType</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.SetSecurityDescriptor</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+Lsa\\+JD|\\+Lsa\\+Skew1|\\+Lsa\\+Data|\\+Lsa\\+GBG</field>
    </rule>
    <rule id="900962" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-ADPrincipalGroupMembership</field>
    </rule>
    <rule id="900963" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>AD Groups Or Users Enumeration Using PowerShell - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-aduser</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-f\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-pr\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DoesNotRequirePreAuth</field>
    </rule>
    <rule id="900964" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1027</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Using Character Join</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Alias</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Value\ \(\-join\(</field>
    </rule>
    <rule id="900965" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
        </mitre>
        <description>Suspicious Eventlog Clear</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Clear\-EventLog\ |Remove\-EventLog\ |Limit\-EventLog\ |Clear\-WinEvent\ )</field>
    </rule>
    <rule id="900966" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1083</id>
        </mitre>
        <description>Powershell Directory Enumeration</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)foreach</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ChildItem</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Path\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ErrorAction\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SilentlyContinue</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Out\-File\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-append</field>
    </rule>
    <rule id="900967" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Download - Powershell Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.WebClient</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.DownloadFile\(|\.DownloadFileAsync\(|\.DownloadString\(|\.DownloadStringAsync\(</field>
    </rule>
    <rule id="900968" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Extracting Information with PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ls</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-R</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:select\-string\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Pattern\ )</field>
    </rule>
    <rule id="900969" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Troubleshooting Pack Cmdlet Execution</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-TroubleshootingPack</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)C:\\+Windows\\+Diagnostics\\+System\\+PCW</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-AnswerFile</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Unattended</field>
    </rule>
    <rule id="900970" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>PowerShell Get-Process LSASS in ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Process\ lsass</field>
    </rule>
    <rule id="900971" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Suspicious GetTypeFromCLSID ShellExecute</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)::GetTypeFromCLSID\(</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.ShellExecute\(</field>
    </rule>
    <rule id="900972" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1201</id>
        </mitre>
        <description>Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-AdDefaultDomainPasswordPolicy</field>
    </rule>
    <rule id="900973" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>Suspicious PowerShell Get Current User</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Environment\]::UserName|\$env:UserName|\[System\.Security\.Principal\.WindowsIdentity\]::GetCurrent</field>
    </rule>
    <rule id="900974" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1615</id>
        </mitre>
        <description>Suspicious GPO Discovery With Get-GPO</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-GPO</field>
    </rule>
    <rule id="900975" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1057</id>
        </mitre>
        <description>Suspicious Process Discovery With Get-Process</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Process</field>
    </rule>
    <rule id="900976" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.006</id>
        </mitre>
        <description>Suspicious Hyper-V Cmdlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-VM|Set\-VMFirmware|Start\-VM</field>
    </rule>
    <rule id="900977" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Convert\]::FromBase64String</field>
    </rule>
    <rule id="900978" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-noni</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
    </rule>
    <rule id="900979" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-ep</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-Enc</field>
    </rule>
    <rule id="900980" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)HKCU\\+software\\+microsoft\\+windows\\+currentversion\\+run</field>
    </rule>
    <rule id="900981" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-noprofile</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-windowstyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)system\.net\.webclient</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.download</field>
    </rule>
    <rule id="900982" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Net\.WebClient</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.Download</field>
    </rule>
    <rule id="900983" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://community\.chocolatey\.org/install\.ps1</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)\(New\-Object\ System\.Net\.WebClient$\.DownloadString$'https://chocolatey\.org/install\.ps1'$</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)Write\-ChocolateyWarning</field>
    </rule>
    <rule id="900984" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Change User Agents with WebRequest</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-WebRequest</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-UserAgent\ )</field>
    </rule>
    <rule id="900985" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.003</id>
        </mitre>
        <description>Suspicious IO.FileStream</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)IO\.FileStream</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+\.\\+</field>
    </rule>
    <rule id="900986" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.credential_access</id>
            <id>attack.t1056.001</id>
        </mitre>
        <description>Potential Keylogger Activity</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Windows\.Input\.Keyboard\]::IsKeyDown\(\[System\.Windows\.Input\.Key\]::</field>
    </rule>
    <rule id="900987" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Suspicious PowerShell Keywords</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Reflection\.Assembly\.Load\(\$|\[System\.Reflection\.Assembly\]::Load\(\$|\[Reflection\.Assembly\]::Load\(\$|System\.Reflection\.AssemblyName|Reflection\.Emit\.AssemblyBuilderAccess|Reflection\.Emit\.CustomAttributeBuilder|Runtime\.InteropServices\.UnmanagedType|Runtime\.InteropServices\.DllImportAttribute|SuspendThread|rundll32</field>
    </rule>
    <rule id="900988" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-localgroup|Get\-LocalGroupMember</field>
    </rule>
    <rule id="900989" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Local Groups Information - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-WMIObject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_Group</field>
    </rule>
    <rule id="900990" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1114.001</id>
        </mitre>
        <description>Powershell Local Email Collection</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-Inbox\.ps1|Microsoft\.Office\.Interop\.Outlook|Microsoft\.Office\.Interop\.Outlook\.olDefaultFolders|\-comobject\ outlook\.application</field>
    </rule>
    <rule id="900991" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.005</id>
        </mitre>
        <description>PowerShell Deleted Mounted Share</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-SmbShare|Remove\-FileShare</field>
    </rule>
    <rule id="900992" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.005</id>
        </mitre>
        <description>Suspicious Mount-DiskImage</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Mount\-DiskImage\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ImagePath\ )</field>
    </rule>
    <rule id="900993" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.001</id>
        </mitre>
        <description>Suspicious Connection to Remote Account</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.DirectoryServices\.Protocols\.LdapDirectoryIdentifier|System\.Net\.NetworkCredential|System\.DirectoryServices\.Protocols\.LdapConnection</field>
    </rule>
    <rule id="900994" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Suspicious New-PSDrive to Admin Share</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)New\-PSDrive</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-psprovider\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)filesystem</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-root\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$</field>
    </rule>
    <rule id="900995" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>Suspicious TCP Tunnel Via PowerShell Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Net\.HttpWebRequest\]</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.Sockets\.TcpListener</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)AcceptTcpClient</field>
    </rule>
    <rule id="900996" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1531</id>
        </mitre>
        <description>Remove Account From Domain Admin Group</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Remove\-ADGroupMember</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Identity\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Members\ )</field>
    </rule>
    <rule id="900997" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1027</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Using Alias Cmdlets</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Alias\ |New\-Alias\ )</field>
    </rule>
    <rule id="900998" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1069.001</id>
        </mitre>
        <description>Suspicious Get Information for SMB Share</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-smbshare</field>
    </rule>
    <rule id="900999" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1573</id>
        </mitre>
        <description>Suspicious SSL Connection</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)System\.Net\.Security\.SslStream</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Net\.Security\.RemoteCertificateValidationCallback</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.AuthenticateAsClient</field>
    </rule>
    <rule id="901000" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Start-Process PassThru</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Start\-Process</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-PassThru\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-FilePath\ )</field>
    </rule>
    <rule id="901001" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.005</id>
        </mitre>
        <description>Suspicious Unblock-File</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Unblock\-File\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Path\ )</field>
    </rule>
    <rule id="901002" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Replace Desktop Wallpaper by Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-ItemProperty</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Registry::</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WallPaper</field>
    </rule>
    <rule id="901003" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Replace Desktop Wallpaper by Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SystemParametersInfo$20,0,.+,3$</field>
    </rule>
    <rule id="901004" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1120</id>
        </mitre>
        <description>Powershell Suspicious Win32_PnPEntity</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_PnPEntity</field>
    </rule>
    <rule id="901005" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Delete Volume Shadow Copies via WMI with PowerShell - PS Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Get\-WmiObject</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Win32_Shadowcopy</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.Delete</field>
    </rule>
    <rule id="901006" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.003</id>
        </mitre>
        <description>Suspicious PowerShell WindowStyle Option</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WindowStyle</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Hidden</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)\$PSScriptRoot\\+Module\\+WorkspaceScriptModule\\+WorkspaceScriptModule</field>
    </rule>
    <rule id="901007" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>PowerShell Write-EventLog Usage</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Write\-EventLog</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-RawData\ )</field>
    </rule>
    <rule id="901008" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Zip A Folder With PowerShell For Staging In Temp - PowerShell Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP|Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+|Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901009" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>SyncAppvPublishingServer Execution to Bypass Powershell Restriction</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)SyncAppvPublishingServer\.exe</field>
    </rule>
    <rule id="901010" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper Windows Defender - ScriptBlockLogging</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Set\-MpPreference</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\-dbaf\ \$true|\-dbaf\ 1|\-dbm\ \$true|\-dbm\ 1|\-dips\ \$true|\-dips\ 1|\-DisableArchiveScanning\ \$true|\-DisableArchiveScanning\ 1|\-DisableBehaviorMonitoring\ \$true|\-DisableBehaviorMonitoring\ 1|\-DisableBlockAtFirstSeen\ \$true|\-DisableBlockAtFirstSeen\ 1|\-DisableCatchupFullScan\ \$true|\-DisableCatchupFullScan\ 1|\-DisableCatchupQuickScan\ \$true|\-DisableCatchupQuickScan\ 1|\-DisableIntrusionPreventionSystem\ \$true|\-DisableIntrusionPreventionSystem\ 1|\-DisableIOAVProtection\ \$true|\-DisableIOAVProtection\ 1|\-DisableRealtimeMonitoring\ \$true|\-DisableRealtimeMonitoring\ 1|\-DisableRemovableDriveScanning\ \$true|\-DisableRemovableDriveScanning\ 1|\-DisableScanningMappedNetworkDrivesForFullScan\ \$true|\-DisableScanningMappedNetworkDrivesForFullScan\ 1|\-DisableScanningNetworkFiles\ \$true|\-DisableScanningNetworkFiles\ 1|\-DisableScriptScanning\ \$true|\-DisableScriptScanning\ 1|\-MAPSReporting\ \$false|\-MAPSReporting\ 0|\-drdsc\ \$true|\-drdsc\ 1|\-drtm\ \$true|\-drtm\ 1|\-dscrptsc\ \$true|\-dscrptsc\ 1|\-dsmndf\ \$true|\-dsmndf\ 1|\-dsnf\ \$true|\-dsnf\ 1|\-dss\ \$true|\-dss\ 1</field>
    </rule>
    <rule id="901011" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1571</id>
        </mitre>
        <description>Testing Usage of Uncommonly Used Port</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Test\-NetConnection</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ComputerName\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-port\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)(?:\ 443\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)(?:\ 80\ )</field>
    </rule>
    <rule id="901012" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.006</id>
        </mitre>
        <description>Powershell Timestomp</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.CreationTime\ =|\.LastWriteTime\ =|\.LastAccessTime\ =|\[IO\.File\]::SetCreationTime|\[IO\.File\]::SetLastAccessTime|\[IO\.File\]::SetLastWriteTime</field>
    </rule>
    <rule id="901013" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.009</id>
        </mitre>
        <description>Powershell Token Obfuscation - Powershell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\w+`(\w+|-|.)`[\w+|\s]</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)"(\{\d\}){2,}"\s*-f</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)it\ will\ return\ true\ or\ false\ instead</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)The\ function\ also\ prevents\ `Get\-ItemProperty`\ from\ failing</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\\+bin\\+servicecontrol\.ps1)</field>
        <field name="win.eventdata.scriptBlockText" negate="yes" type="pcre2">(?i)`r`n</field>
    </rule>
    <rule id="901014" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
        </mitre>
        <description>User Discovery And Export Via Get-ADUser Cmdlet - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-ADUser\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ \-Filter\ \\+.+</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\ &gt;\ |\ \|\ Select\ |Out\-File|Set\-Content|Add\-Content</field>
    </rule>
    <rule id="901015" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Abuse of Service Permissions to Hide Services Via Set-Service - PS</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Set\-Service\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DCLCWPDTSD</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-SecurityDescriptorSddl\ |\-sd\ )</field>
    </rule>
    <rule id="901016" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
        </mitre>
        <description>Veeam Backup Servers Credential Dumping Script Execution</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Credentials\]</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[Veeam\.Backup\.Common\.ProtectedStorage\]::GetLocalString</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Invoke\-Sqlcmd</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Veeam\ Backup\ and\ Replication</field>
    </rule>
    <rule id="901017" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Usage Of Web Request Commands And Cmdlets - ScriptBlock</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\[System\.Net\.WebRequest\]::create|curl\ |Invoke\-RestMethod|Invoke\-WebRequest|iwr\ |Net\.WebClient|Resume\-BitsTransfer|Start\-BitsTransfer|wget\ |WinHttp\.WinHttpRequest</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+)</field>
    </rule>
    <rule id="901018" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>PowerShell WMI Win32_Product Install MSI</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Invoke\-CimMethod\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ClassName\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Win32_Product\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-MethodName\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\.msi</field>
    </rule>
    <rule id="901019" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)VirtualAlloc</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OpenProcess</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WriteProcessMemory</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)CreateRemoteThread</field>
    </rule>
    <rule id="901020" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OpenProcessToken</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)LookupPrivilegeValue</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)AdjustTokenPrivileges</field>
    </rule>
    <rule id="901021" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)OpenProcessToken</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DuplicateTokenEx</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)CloseHandle</field>
    </rule>
    <rule id="901022" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via PowerShell Scripts</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)WriteProcessMemory</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)VirtualAlloc</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)ReadProcessMemory</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)VirtualFree</field>
    </rule>
    <rule id="901023" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>WMImplant Hack Tool</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:WMImplant|\ change_user\ |\ gen_cli\ |\ command_exec\ |\ disable_wdigest\ |\ disable_winrm\ |\ enable_wdigest\ |\ enable_winrm\ |\ registry_mod\ |\ remote_posh\ |\ sched_job\ |\ service_mod\ |\ process_kill\ |\ active_users\ |\ basic_info\ |\ power_off\ |\ vacant_system\ |\ logon_events\ )</field>
    </rule>
    <rule id="901024" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>Powershell WMI Persistence</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:New\-CimInstance\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Namespace\ root/subscription\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ClassName\ __EventFilter\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Property\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:New\-CimInstance\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Namespace\ root/subscription\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-ClassName\ CommandLineEventConsumer\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\-Property\ )</field>
    </rule>
    <rule id="901025" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>WMIC Unquoted Services Path Lookup - PowerShell</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:Get\-WmiObject\ |gwmi\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)(?:\ Win32_Service\ )</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)Name</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)DisplayName</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)PathName</field>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)StartMode</field>
    </rule>
    <rule id="901026" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Suspicious X509Enrollment - Ps Script</description>
        <options>no_full_log</options>
        <group>windows,ps_script,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)X509Enrollment\.CBinaryConverter|884e2002\-217d\-11da\-b2a4\-000e7bbb2b09</field>
    </rule>
    <rule id="901027" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.003</id>
            <id>attack.execution</id>
            <id>attack.t1559.001</id>
            <id>attack.g0069</id>
            <id>attack.g0080</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP Execution Process Access</description>
        <options>no_full_log</options>
        <group>windows,process_access,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)cmlua\.dll</field>
    </rule>
    <rule id="901028" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>HackTool - CobaltStrike BOF Injection Pattern</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^C:\\+Windows\\+SYSTEM32\\+ntdll\.dll\+[a-z0-9]{4,6}\|C:\\+Windows\\+System32\\+KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN$[A-Z0-9]{16}$$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1028|0x1fffff)$</field>
    </rule>
    <rule id="901029" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>HackTool - Generic Process Access</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+Akagi\.exe|\\+Akagi64\.exe|\\+atexec_windows\.exe|\\+Certify\.exe|\\+Certipy\.exe|\\+CoercedPotato\.exe|\\+crackmapexec\.exe|\\+CreateMiniDump\.exe|\\+dcomexec_windows\.exe|\\+dpapi_windows\.exe|\\+findDelegation_windows\.exe|\\+GetADUsers_windows\.exe|\\+GetNPUsers_windows\.exe|\\+getPac_windows\.exe|\\+getST_windows\.exe|\\+getTGT_windows\.exe|\\+GetUserSPNs_windows\.exe|\\+gmer\.exe|\\+hashcat\.exe|\\+htran\.exe|\\+ifmap_windows\.exe|\\+impersonate\.exe|\\+Inveigh\.exe|\\+LocalPotato\.exe|\\+mimikatz_windows\.exe|\\+mimikatz\.exe|\\+netview_windows\.exe|\\+nmapAnswerMachine_windows\.exe|\\+opdump_windows\.exe|\\+PasswordDump\.exe|\\+Potato\.exe|\\+PowerTool\.exe|\\+PowerTool64\.exe|\\+psexec_windows\.exe|\\+PurpleSharp\.exe|\\+pypykatz\.exe|\\+QuarksPwDump\.exe|\\+rdp_check_windows\.exe|\\+Rubeus\.exe|\\+SafetyKatz\.exe|\\+sambaPipe_windows\.exe|\\+SelectMyParent\.exe|\\+SharpChisel\.exe|\\+SharPersist\.exe|\\+SharpEvtMute\.exe|\\+SharpImpersonation\.exe|\\+SharpLDAPmonitor\.exe|\\+SharpLdapWhoami\.exe|\\+SharpUp\.exe|\\+SharpView\.exe|\\+smbclient_windows\.exe|\\+smbserver_windows\.exe|\\+sniff_windows\.exe|\\+sniffer_windows\.exe|\\+split_windows\.exe|\\+SpoolSample\.exe|\\+Stracciatella\.exe|\\+SysmonEOP\.exe|\\+temp\\+rot\.exe|\\+ticketer_windows\.exe|\\+TruffleSnout\.exe|\\+winPEASany_ofs\.exe|\\+winPEASany\.exe|\\+winPEASx64_ofs\.exe|\\+winPEASx64\.exe|\\+winPEASx86_ofs\.exe|\\+winPEASx86\.exe|\\+xordump\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)\\+goldenPac|\\+just_dce_|\\+karmaSMB|\\+kintercept|\\+LocalPotato|\\+ntlmrelayx|\\+rpcdump|\\+samrdump|\\+secretsdump|\\+smbexec|\\+smbrelayx|\\+wmiexec|\\+wmipersist|HotPotato|Juicy\ Potato|JuicyPotato|PetitPotam|RottenPotato</field>
    </rule>
    <rule id="901030" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz Duplicating LSASS Handle</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1440)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+ntdll\.dll\+)</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)\|UNKNOWN$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)(?:$)$</field>
    </rule>
    <rule id="901031" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
            <id>attack.t1055.003</id>
        </mitre>
        <description>HackTool - LittleCorporal Generated Maldoc Injection</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+v2\.</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)UNKNOWN</field>
    </rule>
    <rule id="901032" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SysmonEnte Execution</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i):\\+Windows\\+Sysmon\.exe|:\\+Windows\\+Sysmon64\.exe</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1400)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
    </rule>
    <rule id="901033" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SysmonEnte Execution</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i):\\+Windows\\+Sysmon\.exe|:\\+Windows\\+Sysmon64\.exe</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1400)$</field>
    </rule>
    <rule id="901034" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SysmonEnte Execution</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:Ente)$</field>
    </rule>
    <rule id="901035" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Lsass Memory Dump via Comsvcs DLL</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)comsvcs\.dll</field>
    </rule>
    <rule id="901036" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>LSASS Memory Access by Tool With Dump Keyword In Name</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)dump</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:10|30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2|FF)$</field>
    </rule>
    <rule id="901037" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potential Credential Dumping Activity Via LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1038|0x1438|0x143a|0x1fffff</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)dbgcore\.dll|dbghelp\.dll|kernel32\.dll|kernelbase\.dll|ntdll\.dll</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="901038" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potential Credential Dumping Activity Via LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)0x1038|0x1438|0x143a|0x1fffff</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)dbgcore\.dll|dbghelp\.dll|kernel32\.dll|kernelbase\.dll|ntdll\.dll</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\\+thor\\+thor64\.exe\+</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|UNKNOWN\(</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x103800)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Sysmon64\.exe)$</field>
    </rule>
    <rule id="901039" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0349</id>
        </mitre>
        <description>Credential Dumping Activity By Python Based Tool</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)_ctypes\.pyd\+</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i):\\+Windows\\+System32\\+KERNELBASE\.dll\+</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i):\\+Windows\\+SYSTEM32\\+ntdll\.dll\+</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)python27\.dll\+|python3.+\.dll\+</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1FFFFF)$</field>
    </rule>
    <rule id="901040" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1003.001</id>
            <id>attack.t1059.001</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Remote LSASS Process Access Through Windows Remote Management</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?::\\+Windows\\+system32\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x80000000)$</field>
    </rule>
    <rule id="901041" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious LSASS Access Via MalSecLogon</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x14c0)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)seclogon\.dll</field>
    </rule>
    <rule id="901042" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potentially Suspicious GrantedAccess Flags On LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x100000|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|.:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Definition\ Updates\\+\{</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\}\\+mpengine\.dll\+</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x1418)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|c:\\+program\ files\\+windows\ defender\\+mprtp\.dll</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)\|c:\\+program\ files\\+windows\ defender\\+MpClient\.dll</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x401)$</field>
    </rule>
    <rule id="901043" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Potentially Suspicious GrantedAccess Flags On LSASS</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x100000|0x1418|0x1438|0x143a|0x1f0fff|0x1f1fff|0x1f2fff|0x1f3fff|0x40)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+ProgramData\\+MALWAREBYTES\\+MBAMSERVICE\\+ctlrupdate\\+mbupdatr\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+VMware\\+VMware\ Tools\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+PROCEXP64\.EXE)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+PROCEXP\.EXE)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x40)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MBAMInstallerService\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x40)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\-64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x40)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x40)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x401)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+SteamLibrary\\+steamapps\\+</field>
    </rule>
    <rule id="901044" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>Credential Dumping Attempt Via WerFault</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1FFFFF)$</field>
    </rule>
    <rule id="901045" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0002</id>
        </mitre>
        <description>LSASS Access From Potentially White-Listed Processes</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i)(?:\\+TrolleyExpress\.exe|\\+ProcessDump\.exe|\\+dump64\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)(?:10|30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2|FF)$</field>
    </rule>
    <rule id="901046" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential Direct Syscall of NtOpenProcess</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:UNKNOWN)</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:vcredist_x64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:vcredist_x64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.providerName" negate="yes" type="pcre2">(?i)^(?:Microsoft\-Windows\-Kernel\-Audit\-API\-Calls)$</field>
    </rule>
    <rule id="901047" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential Direct Syscall of NtOpenProcess</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:UNKNOWN)</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+systeminfo\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:setup64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Explorer\.EXE)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Cylance\\+Desktop\\+CylanceUI\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:AmazonSSMAgentSetup\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:AmazonSSMAgentSetup\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Discord\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+Discord\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+yammerdesktop\\+app\-</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+Yammer\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+yammerdesktop\\+app\-</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+Yammer\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x1000)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+Evernote\\+Evernote\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Adobe\\+Acrobat\ DC\\+Acrobat\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AcroCEF\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Adobe\\+Acrobat\ DC\\+Acrobat\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AcroCEF\.exe)$</field>
    </rule>
    <rule id="901048" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Potential NT API Stub Patching</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1FFFFF)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+SYSTEM32\\+ntdll\.dll\+)</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)\|UNKNOWN$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)(?:$)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+taskhostw\.exe</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Windows\\+system32\\+taskhost\.exe</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework\\+v</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+v</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+NGenTask\.exe)$</field>
    </rule>
    <rule id="901049" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Potential NT API Stub Patching</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1FFFFF)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+SYSTEM32\\+ntdll\.dll\+)</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)\|UNKNOWN$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)(?:$)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+thor64\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+app\-</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+GitHubDesktop\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+resources\\+app\\+git\\+usr\\+bin\\+sh\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+app\-</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+stage\\+Teams\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+SysWOW64\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+stage\\+Teams\.exe)$</field>
    </rule>
    <rule id="901050" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Potential Shellcode Injection</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x147a|0x1f3fff)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)UNKNOWN</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Dell\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Dell\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Dell\\+</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Dell\\+</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x1F3FFF)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+System32\\+ntdll\.dll)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Dell\\+UpdateService\\+ServiceShell\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+Explorer\.EXE)$</field>
        <field name="win.eventdata.grantedAccess" negate="yes" type="pcre2">(?i)^(?:0x1F3FFF)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+System32\\+ntdll\.dll)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+2022\\+Community\\+Common7\\+IDE\\+PerfWatson2\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+2019\\+Community\\+Common7\\+IDE\\+PerfWatson2\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+2022\\+Community\\+Common7\\+IDE\\+devenv\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+2019\\+Community\\+Common7\\+IDE\\+devenv\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+System32\\+ntdll\.dll)</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MSBuild\\+Current\\+Bin\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Dell\\+DellDataVault\\+DDVDataCollector\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+Wbem\\+Wmiprvse\.exe)$</field>
        <field name="win.eventdata.targetImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+lsass\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)^(?:.:\\+Windows\\+SYSTEM32\\+ntdll\.dll)</field>
    </rule>
    <rule id="901051" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1548</id>
        </mitre>
        <description>Credential Dumping Attempt Via Svchost</description>
        <options>no_full_log</options>
        <group>windows,process_access,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x143a)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
    </rule>
    <rule id="901052" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Suspicious Svchost Process Access</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetImage" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1F3FFF)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)UNKNOWN</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">(?i)(?:\\+MSBuild\\+Current\\+Bin\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)Microsoft\.Build\.ni\.dll</field>
        <field name="win.eventdata.callTrace" negate="yes" type="pcre2">(?i)System\.ni\.dll</field>
    </rule>
    <rule id="901053" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Function Call From Undocumented COM Interface EditionUpgradeManager</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)editionupgrademanagerobj\.dll</field>
    </rule>
    <rule id="901054" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using WOW64 Logger DLL Hijack</description>
        <options>no_full_log</options>
        <group>process_access,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.sourceImage" negate="no" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.grantedAccess" negate="no" type="pcre2">(?i)^(?:0x1fffff)$</field>
        <field name="win.eventdata.callTrace" negate="no" type="pcre2">(?i)^(?:UNKNOWN$0000000000000000$\|UNKNOWN$0000000000000000$\|)</field>
    </rule>
    <rule id="901055" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious AddinUtil.EXE CommandLine Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AddInUtil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:|\-PipelineRoot:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901056" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious AddinUtil.EXE CommandLine Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AddInUtil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:|\-PipelineRoot:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:\.|\-AddInRoot:"\."|\-PipelineRoot:\.|\-PipelineRoot:"\."</field>
        <field name="win.eventdata.currentDirectory" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901057" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon Child Process Of AddinUtil.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+werfault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+werfault\.exe)$</field>
    </rule>
    <rule id="901058" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon AddinUtil.EXE CommandLine Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AddInUtil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-AddInRoot:|\-PipelineRoot:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-AddInRoot:"C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-AddInRoot:C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-PipelineRoot:"C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-PipelineRoot:C:\\+Program\ Files\ $x86$\\+Common\ Files\\+Microsoft\ Shared\\+VSTA</field>
    </rule>
    <rule id="901059" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>AddinUtil.EXE Execution From Uncommon Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+addinutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AddInUtil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
    </rule>
    <rule id="901060" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious AgentExecutor PowerShell Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AgentExecutor\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AgentExecutor\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-powershell|\ \-remediationScript</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+WindowsPowerShell\\+v1\.0\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+WindowsPowerShell\\+v1\.0\\+</field>
    </rule>
    <rule id="901061" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Uncommon Child Process Of Appvlp.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+appvlp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+rundll32\.exe)$</field>
    </rule>
    <rule id="901062" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Uncommon Child Process Of Appvlp.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+appvlp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msoasb\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+SkypeSrv\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+SKYPESERVER\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MSOUC\.EXE)$</field>
    </rule>
    <rule id="901063" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>AspNetCompiler Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+Microsoft\.NET\\+Framework\\+|C:\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+aspnet_compiler\.exe)$</field>
    </rule>
    <rule id="901064" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Potentially Suspicious ASP.NET Compilation Via AspNetCompiler</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\\+Microsoft\.NET\\+Framework\\+|C:\\+Windows\\+Microsoft\.NET\\+Framework64\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+aspnet_compiler\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp\\+|\\+AppData\\+Local\\+Roaming\\+|:\\+Temp\\+|:\\+Windows\\+Temp\\+|:\\+Windows\\+System32\\+Tasks\\+|:\\+Windows\\+Tasks\\+</field>
    </rule>
    <rule id="901065" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AtBroker\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AtBroker\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)animations</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)audiodescription</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)caretbrowsing</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)caretwidth</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)colorfiltering</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)cursorindicator</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)cursorscheme</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)filterkeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)focusborderheight</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)focusborderwidth</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)highcontrast</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)keyboardcues</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)keyboardpref</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)livecaptions</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)magnifierpane</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)messageduration</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)minimumhitradius</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)mousekeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Narrator</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)osk</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)overlappedcontent</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)showsounds</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)soundsentry</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)speechreco</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)stickykeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)togglekeys</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)voiceaccess</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowarranging</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowtracking</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowtrackingtimeout</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)windowtrackingzorder</field>
    </rule>
    <rule id="901066" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AtBroker\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AtBroker\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)start</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Oracle_JavaAccessBridge</field>
    </rule>
    <rule id="901067" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Hiding Files with Attrib.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+attrib\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ATTRIB\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \+h\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+desktop\.ini\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:\+R\ \+H\ \+S\ \+A\ \\+.+\.cui)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+.+\.bat)$</field>
    </rule>
    <rule id="901068" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Set Suspicious Files as System Files Using Attrib.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+attrib\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ATTRIB\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \+s</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ %|\\+Users\\+Public\\+|\\+AppData\\+Local\\+|\\+ProgramData\\+|\\+Downloads\\+|\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat|\.dll|\.exe|\.hta|\.ps1|\.vbe|\.vbs</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.exe</field>
    </rule>
    <rule id="901069" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1053.002</id>
        </mitre>
        <description>Interactive AT Job</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+at\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)interactive</field>
    </rule>
    <rule id="901070" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Audit Policy Tampering Via NT Resource Kit Auditpol</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/logon:none|/system:none|/sam:none|/privilege:none|/object:none|/process:none|/policy:none</field>
    </rule>
    <rule id="901071" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Indirect Command Execution From Script File Via Bash.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+bash\.exe|:\\+Windows\\+SysWOW64\\+bash\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Bash\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)bash\.exe\ \-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)bash\ \-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:bash\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:bash)$</field>
    </rule>
    <rule id="901072" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Uncommon Child Process Of BgInfo.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+bginfo\.exe|\\+bginfo64\.exe)$</field>
    </rule>
    <rule id="901073" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
            <id>attack.s0190</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>File Download Via Bitsadmin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:bitsadmin\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /transfer\ )</field>
    </rule>
    <rule id="901074" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1197</id>
            <id>attack.s0190</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Download From Direct IP Via Bitsadmin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:bitsadmin\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /transfer\ |\ /create\ |\ /addfile\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://1|://2|://3|://4|://5|://6|://7|://8|://9</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://7\-</field>
    </rule>
    <rule id="901075" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1197</id>
        </mitre>
        <description>Monitoring For Persistence Via BITS</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:bitsadmin\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/SetNotifyCmdLine</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%COMSPEC%|cmd\.exe|regsvr32\.exe</field>
    </rule>
    <rule id="901076" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1185</id>
        </mitre>
        <description>Potential Data Stealing Via Chromium Headless Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-remote\-debugging\-</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-user\-data\-dir</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-headless</field>
    </rule>
    <rule id="901077" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Browser Execution In Headless Mode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-headless</field>
    </rule>
    <rule id="901078" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>File Download with Headless Browser</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-headless</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dump\-dom</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="901079" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1176</id>
        </mitre>
        <description>Chromium Browser Instance Executed With Custom Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-load\-extension=</field>
    </rule>
    <rule id="901080" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1176</id>
        </mitre>
        <description>Suspicious Chromium Browser Instance Executed With Custom Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+brave\.exe|\\+chrome\.exe|\\+msedge\.exe|\\+opera\.exe|\\+vivaldi\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-load\-extension=</field>
    </rule>
    <rule id="901081" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1185</id>
        </mitre>
        <description>Browser Started with Remote Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-remote\-debugging\-</field>
    </rule>
    <rule id="901082" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1185</id>
        </mitre>
        <description>Browser Started with Remote Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+firefox\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-start\-debugger\-server</field>
    </rule>
    <rule id="901083" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.003</id>
        </mitre>
        <description>Tor Client/Browser Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tor\.exe|\\+Tor\ Browser\\+Browser\\+firefox\.exe)$</field>
    </rule>
    <rule id="901084" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Calculator Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+calc\.exe\ )</field>
    </rule>
    <rule id="901085" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Calculator Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
    </rule>
    <rule id="901086" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious File Downloaded From Direct IP Via Certutil.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:CertUtil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:urlcache\ |verifyctl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://1|://2|://3|://4|://5|://6|://7|://8|://9</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://7\-</field>
    </rule>
    <rule id="901087" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1614.001</id>
        </mitre>
        <description>Console CodePage Lookup Via CHCP</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-c\ |\ \-r\ |\ \-k\ )</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+chcp\.com)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:chcp|chcp\ |chcp\ \ )$</field>
    </rule>
    <rule id="901088" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1036</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious CodePage Switch Via CHCP</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+chcp\.com)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ 936|\ 1258)$</field>
    </rule>
    <rule id="901089" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Access via TrolleyExpress Exclusion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+TrolleyExpress\ 7|\\+TrolleyExpress\ 8|\\+TrolleyExpress\ 9|\\+TrolleyExpress\.exe\ 7|\\+TrolleyExpress\.exe\ 8|\\+TrolleyExpress\.exe\ 9|\\+TrolleyExpress\.exe\ \-ma\ )</field>
    </rule>
    <rule id="901090" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Access via TrolleyExpress Exclusion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+TrolleyExpress\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)CtxInstall</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901091" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1115</id>
        </mitre>
        <description>Data Copied To Clipboard Via Clip.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+clip\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:clip\.exe)$</field>
    </rule>
    <rule id="901092" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Cloudflared Portable Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cloudflared\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+cloudflared\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+cloudflared\\+</field>
    </rule>
    <rule id="901093" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Cloudflared Quick Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cloudflared\.exe|\\+cloudflared\-windows\-386\.exe|\\+cloudflared\-windows\-amd64\.exe)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29|SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8|SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039|SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28|SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7|SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373|SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670|SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a|SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0|SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1|SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2|SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac|SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f|SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d|SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499|SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b|SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f|SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032|SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234|SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f|SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058|SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c|SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f|SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5|SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3|SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4|SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c|SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4|SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f|SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad|SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7|SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75|SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6|SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688|SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f|SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663|SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77|SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-url</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-url|\.exe\ \-\-url</field>
    </rule>
    <rule id="901094" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Cloudflared Quick Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-url</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-no\-autoupdate</field>
    </rule>
    <rule id="901095" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
            <id>attack.t1090</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Cloudflared Tunnel Connections Cleanup</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cleanup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-connector\-id\ )</field>
    </rule>
    <rule id="901096" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
            <id>attack.t1090</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Cloudflared Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ run\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-credentials\-contents\ |\-credentials\-file\ |\-token\ )</field>
    </rule>
    <rule id="901097" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Change Default File Association To Executable Via Assoc</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:assoc\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)exefile</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.exe=exefile</field>
    </rule>
    <rule id="901098" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Curl Download And Execute Combination</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:curl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-o</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;</field>
    </rule>
    <rule id="901099" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1217</id>
        </mitre>
        <description>File Enumeration Via Dir Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:dir.+\-s)</field>
    </rule>
    <rule id="901100" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential Dosfuscation Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\^\^|\^\|\^|,;,|;;;;|;;\ ;;|\(,\(,|%COMSPEC:\~|\ c\^m\^d|\^c\^m\^d|\ c\^md|\ cm\^d|\^cm\^d|\ s\^et\ |\ s\^e\^t\ |\ se\^t\ )</field>
    </rule>
    <rule id="901101" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.command_and_control</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Command Line Execution with Suspicious URL and AppData Strings</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%AppData%</field>
    </rule>
    <rule id="901102" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>VolumeShadowCopy Symlink Creation Via Mklink</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mklink</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HarddiskVolumeShadowCopy</field>
    </rule>
    <rule id="901103" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe/c|\\+cmd/c|"cmd/c|cmd\.exe/k|\\+cmd/k|"cmd/k|cmd\.exe/r|\\+cmd/r|"cmd/r</field>
    </rule>
    <rule id="901104" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/cwhoami|/cpowershell|/cschtasks|/cbitsadmin|/ccertutil|/kwhoami|/kpowershell|/kschtasks|/kbitsadmin|/kcertutil</field>
    </rule>
    <rule id="901105" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /c|cmd\ /c|cmd\.exe\ /k|cmd\ /k|cmd\.exe\ /r|cmd\ /r</field>
    </rule>
    <rule id="901106" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Cmd.EXE Missing Space Characters Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe\ /k\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\ /k\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe\ /r\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\ /r\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+resources\\+app\\+node_modules</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:cmd\.exe/c\ \.)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:cmd\.exe\ /c)$</field>
    </rule>
    <rule id="901107" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>NtdllPipe Like Activity Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)type\ %windir%\\+system32\\+ntdll\.dll|type\ %systemroot%\\+system32\\+ntdll\.dll|type\ c:\\+windows\\+system32\\+ntdll\.dll|\\+ntdll\.dll\ &gt;\ \\+\.\\+pipe\\+</field>
    </rule>
    <rule id="901108" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Potential CommandLine Path Traversal Via Cmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/c|/k|/r</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c|/k|/r</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)^(?:/\.\./\.\./)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/\.\./\.\./</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Tasktop\\+keycloak\\+bin\\+/\.\./\.\./jre\\+bin\\+java</field>
    </rule>
    <rule id="901109" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious CMD Shell Output Redirect</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)&gt;.%APPDATA%\\+|&gt;.%TEMP%\\+|&gt;.%TMP%\\+|&gt;.%USERPROFILE%\\+|&gt;.C:\\+ProgramData\\+|&gt;.C:\\+Temp\\+|&gt;.C:\\+Users\\+Public\\+|&gt;.C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901110" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious CMD Shell Output Redirect</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ &gt;|"&gt;|'&gt;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
    </rule>
    <rule id="901111" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Copy From VolumeShadowCopy Via Cmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+.\\+GLOBALROOT\\+Device\\+HarddiskVolumeShadowCopy</field>
    </rule>
    <rule id="901112" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1546.008</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Persistence Via Sticky Key Backdoor</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/y\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+windows\\+system32\\+cmd\.exe\ C:\\+windows\\+system32\\+sethc\.exe</field>
    </rule>
    <rule id="901113" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.008</id>
            <id>car.2014-11-003</id>
            <id>car.2014-11-008</id>
        </mitre>
        <description>Sticky Key Like Backdoor Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+winlogon\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe|\\+wt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)sethc\.exe|utilman\.exe|osk\.exe|Magnify\.exe|Narrator\.exe|DisplaySwitch\.exe</field>
    </rule>
    <rule id="901114" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Unusual Parent Process For Cmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+csrss\.exe|\\+ctfmon\.exe|\\+dllhost\.exe|\\+epad\.exe|\\+FlashPlayerUpdateService\.exe|\\+GoogleUpdate\.exe|\\+jucheck\.exe|\\+jusched\.exe|\\+LogonUI\.exe|\\+lsass\.exe|\\+regsvr32\.exe|\\+SearchIndexer\.exe|\\+SearchProtocolHost\.exe|\\+SIHClient\.exe|\\+sihost\.exe|\\+slui\.exe|\\+spoolsv\.exe|\\+sppsvc\.exe|\\+taskhostw\.exe|\\+unsecapp\.exe|\\+WerFault\.exe|\\+wermgr\.exe|\\+wlanext\.exe|\\+WUDFHost\.exe)$</field>
    </rule>
    <rule id="901115" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218.003</id>
            <id>attack.g0069</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP Execution Process Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
    </rule>
    <rule id="901116" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious High IntegrityLevel Conhost Legacy Option</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)conhost\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0xffffffff</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ForceV1</field>
    </rule>
    <rule id="901117" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>Conhost.exe CommandLine Path Traversal</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)conhost</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/\.\./\.\./</field>
    </rule>
    <rule id="901118" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Uncommon Child Process Of Conhost.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="901119" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Uncommon Child Process Of Conhost.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.providerName" negate="yes" type="pcre2">(?i)^(?:SystemTraceProvider\-Process)$</field>
    </rule>
    <rule id="901120" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Conhost Spawned By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+lsass\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+services\.exe|\\+smss\.exe|\\+spoolsv\.exe|\\+svchost\.exe|\\+userinit\.exe|\\+wininit\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ apphost\ \-s\ AppHostSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ imgsvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ localService\ \-p\ \-s\ RemoteRegistry</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ LocalSystemNetworkRestricted\ \-p\ \-s\ NgcSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ NetSvcs\ \-p\ \-s\ NcaSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ netsvcs\ \-p\ \-s\ NetSetupSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ netsvcs\ \-p\ \-s\ wlidsvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ NetworkService\ \-p\ \-s\ DoSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ wsappx\ \-p\ \-s\ AppXSvc</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-k\ wsappx\ \-p\ \-s\ ClipSVC</field>
    </rule>
    <rule id="901121" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Conhost Spawned By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+lsass\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+services\.exe|\\+smss\.exe|\\+spoolsv\.exe|\\+svchost\.exe|\\+userinit\.exe|\\+wininit\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Dropbox\\+Client\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Dropbox\\+Client\\+</field>
    </rule>
    <rule id="901122" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.002</id>
            <id>attack.persistence</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Control Panel Items</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)CurrentVersion\\+Control\ Panel\\+CPLs</field>
    </rule>
    <rule id="901123" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.002</id>
            <id>attack.persistence</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Control Panel Items</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.cpl)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+System32\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)%System%</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\|C:\\+Windows\\+system32\|</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:regsvr32\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /s\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)igfxCPL\.cpl</field>
    </rule>
    <rule id="901124" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp\\+|\\+Temporary\ Internet|\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901125" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="901126" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\+[Aa]pp[Dd]ata\\+([Ll]ocal(Ll]ow)?|[Rr]oaming))\\+[^\\+]{1,256}$</field>
    </rule>
    <rule id="901127" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+inetsrv\\+w3wp\.exe)$</field>
    </rule>
    <rule id="901128" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Dynamic .NET Compilation Via Csc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+chocolatey\\+choco\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+ProgramData\\+Microsoft\\+Windows\ Defender\ Advanced\ Threat\ Protection</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA</field>
    </rule>
    <rule id="901129" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+excel\.exe|\\+mshta\.exe|\\+onenote\.exe|\\+outlook\.exe|\\+powerpnt\.exe|\\+winword\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901130" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-Encoded\ |FromBase64String</field>
    </rule>
    <rule id="901131" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:csc\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\+[Aa]pp[Dd]ata\\+([Ll]ocal(Ll]ow)?|[Rr]oaming))\\+[^\\+]{1,256}$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+Temporary\ Internet</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="901132" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+inetsrv\\+w3wp\.exe)$</field>
    </rule>
    <rule id="901133" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Csc.EXE Execution Form Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:csc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+chocolatey\\+choco\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+ProgramData\\+Microsoft\\+Windows\ Defender\ Advanced\ Threat\ Protection</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA</field>
    </rule>
    <rule id="901134" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Suspicious Use of CSharp Interactive Console</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csi\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:csi\.exe)$</field>
    </rule>
    <rule id="901135" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Active Directory Structure Export Via Csvde.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csvde\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:csvde\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-f</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-i</field>
    </rule>
    <rule id="901136" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>File Download From IP URL Via Curl.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:curl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-O|\-\-remote\-name|\-\-output</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.bat")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dat)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dat")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.exe")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.gif)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.gif")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.hta)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.hta")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.jpeg)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.jpeg")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.log)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.log")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.msi)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.msi")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.png)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.png")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.ps1)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.ps1")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.psm1)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.psm1")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbe")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbs)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbs")$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.bat')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dat')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.exe')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.gif')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.hta')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.jpeg')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.log')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.msi')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.png')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.ps1')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.psm1')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbe')$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.vbs')$</field>
    </rule>
    <rule id="901137" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Curl.EXE Download</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:The\ curl\ executable)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%AppData%|%Public%|%Temp%|%tmp%|\\+AppData\\+|\\+Desktop\\+|\\+Temp\\+|\\+Users\\+Public\\+|C:\\+PerfLogs\\+|C:\\+ProgramData\\+|C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901138" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Curl.EXE Download</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:The\ curl\ executable)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.dll|\.gif|\.jpeg|\.jpg|\.png|\.temp|\.tmp|\.txt|\.vbe|\.vbs)$</field>
    </rule>
    <rule id="901139" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Curl.EXE Download</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:The\ curl\ executable)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Git\\+usr\\+bin\\+sh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Git\\+mingw64\\+bin\\+curl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\-\-silent\ \-\-show\-error\ \-\-output\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)gfw\-httpget\-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)AppData</field>
    </rule>
    <rule id="901140" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Remote File Download Via Desktopimgdownldr Utility</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+desktopimgdownldr\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+desktopimgdownldr\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/lockscreenurl:http</field>
    </rule>
    <rule id="901141" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Desktopimgdownldr Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /lockscreenurl:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.jpg</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.jpeg</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.png</field>
    </rule>
    <rule id="901142" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Desktopimgdownldr Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg\ delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+PersonalizationCSP</field>
    </rule>
    <rule id="901143" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Arbitrary MSI Download Via Devinit.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ msi\-install\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-i\ http</field>
    </rule>
    <rule id="901144" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of ClickOnce Application</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Apps\\+2\.0\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+explorer\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+nltest\.exe|\\+notepad\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+reg\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+werfault\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901145" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1083</id>
        </mitre>
        <description>DirLister Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:DirLister\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dirlister\.exe)$</field>
    </rule>
    <rule id="901146" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of DiskShadow.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+diskshadow\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901147" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Diskshadow Script Mode - Uncommon Script Extension Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:diskshadow\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+diskshadow\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-s\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.txt</field>
    </rule>
    <rule id="901148" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Dllhost.EXE Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:dllhost\.exe|dllhost)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901149" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>DLL Sideloading by VMware Xfer Utility</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VMwareXferlogs\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+VMware\\+)</field>
    </rule>
    <rule id="901150" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dnscmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/serverlevelplugindll</field>
    </rule>
    <rule id="901151" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.001</id>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>DNS Exfiltration and Tunneling Tools Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+iodine\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+dnscat2</field>
    </rule>
    <rule id="901152" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Unusual Child Process of dns.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+dns\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
    </rule>
    <rule id="901153" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>DriverQuery.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:driverquery\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:drvqry\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Users\\+Public\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901154" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Dism Remove Online Package</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DismHost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/Online</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/Disable\-Feature</field>
    </rule>
    <rule id="901155" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Dism Remove Online Package</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Dism\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Online</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Disable\-Feature</field>
    </rule>
    <rule id="901156" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Kernel Dump Using Dtrace</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dtrace\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lkd$0$</field>
    </rule>
    <rule id="901157" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Kernel Dump Using Dtrace</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)syscall:::return</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lkd\(</field>
    </rule>
    <rule id="901158" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious DumpMinitool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpMinitool\.exe|\\+DumpMinitool\.x86\.exe|\\+DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:DumpMinitool\.exe|DumpMinitool\.x86\.exe|DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Extensions\\+</field>
    </rule>
    <rule id="901159" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious DumpMinitool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpMinitool\.exe|\\+DumpMinitool\.x86\.exe|\\+DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:DumpMinitool\.exe|DumpMinitool\.x86\.exe|DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.txt</field>
    </rule>
    <rule id="901160" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious DumpMinitool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpMinitool\.exe|\\+DumpMinitool\.x86\.exe|\\+DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:DumpMinitool\.exe|DumpMinitool\.x86\.exe|DumpMinitool\.arm64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ Full</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ Mini</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ WithHeap</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-dumpType</field>
    </rule>
    <rule id="901161" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Esentutl Gather Credentials</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)esentutl</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /p</field>
    </rule>
    <rule id="901162" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
            <id>car.2013-07-001</id>
            <id>attack.s0404</id>
        </mitre>
        <description>Copying Sensitive Files with Credential Data</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+esentutl\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:\\+esentutl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:vss|\ /m\ |\ /y\ )</field>
    </rule>
    <rule id="901163" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.003</id>
            <id>car.2013-07-001</id>
            <id>attack.s0404</id>
        </mitre>
        <description>Copying Sensitive Files with Credential Data</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+windows\\+ntds\\+ntds\.dit|\\+config\\+sam|\\+config\\+security|\\+config\\+system\ |\\+repair\\+sam|\\+repair\\+system|\\+repair\\+security|\\+config\\+RegBack\\+sam|\\+config\\+RegBack\\+system|\\+config\\+RegBack\\+security</field>
    </rule>
    <rule id="901164" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>Potentially Suspicious Event Viewer Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+eventvwr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+WerFault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+WerFault\.exe)$</field>
    </rule>
    <rule id="901165" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Cabinet File Expansion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+expand\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-F:)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+Temporary\ Internet|:\\+ProgramData|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+Temp|:\\+Windows\\+Temp</field>
    </rule>
    <rule id="901166" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Cabinet File Expansion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+expand\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-F:)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="901167" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potentially Suspicious Cabinet File Expansion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+expand\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-F:)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Dell\\+UpdateService\\+ServiceShell\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Dell\\+UpdateService\\+Temp\\+</field>
    </rule>
    <rule id="901168" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Explorer Process Tree Break</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/factory,\{75dff2b7\-6936\-4c06\-a8bb\-676a7b00b24b\}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)explorer\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /root,</field>
    </rule>
    <rule id="901169" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Proxy Execution Via Explorer.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)explorer\.exe</field>
    </rule>
    <rule id="901170" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Explorer NOUACCHECK Flag</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/NOUACCHECK</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ Schedule)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
    </rule>
    <rule id="901171" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>LSASS Process Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+find\.exe|\\+findstr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:FIND\.EXE|FINDSTR\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lsass</field>
    </rule>
    <rule id="901172" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>LSASS Process Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /i\ "lsass|\ /i\ lsass\.exe|findstr\ "lsass|findstr\ lsass|findstr\.exe\ "lsass|findstr\.exe\ lsass</field>
    </rule>
    <rule id="901173" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Permission Misconfiguration Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+find\.exe|\\+findstr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:FIND\.EXE|FINDSTR\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)"Everyone"|'Everyone'|"BUILTIN\\+"|'BUILTIN\\+'</field>
    </rule>
    <rule id="901174" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Permission Misconfiguration Reconnaissance Via Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:icacls\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:findstr\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Everyone</field>
    </rule>
    <rule id="901175" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1057</id>
        </mitre>
        <description>Recon Command Output Piped To Findstr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:ipconfig\ /all\ \|\ find\ |ipconfig\ /all\ \|\ findstr\ |ipconfig\ \|\ find\ |ipconfig\ \|\ findstr\ |ipconfig\.exe\ /all\ \|\ find\ |ipconfig\.exe\ /all\ \|\ findstr\ |ipconfig\.exe\ \|\ find\ |ipconfig\.exe\ \|\ findstr\ |net\ start\ \|\ find|net\ start\ \|\ findstr|net\.exe\ start\ \|\ find|net\.exe\ start\ \|\ findstr|net1\ start\ \|\ find|net1\ start\ \|\ findstr|net1\.exe\ start\ \|\ find|net1\.exe\ start\ \|\ findstr|netstat\ \-ano\ \|\ find|netstat\ \-ano\ \|\ findstr|netstat\ \|\ find|netstat\ \|\ findstr|netstat\.exe\ \-ano\ \|\ find|netstat\.exe\ \-ano\ \|\ findstr|netstat\.exe\ \|\ find|netstat\.exe\ \|\ findstr|ping\ \|\ find|ping\ \|\ findstr|ping\.exe\ \|\ find|ping\.exe\ \|\ findstr|systeminfo\ \|\ find\ |systeminfo\ \|\ findstr\ |systeminfo\.exe\ \|\ find\ |systeminfo\.exe\ \|\ findstr\ |tasklist\ \|\ find\ |tasklist\ \|\ findstr\ |tasklist\.exe\ \|\ find\ |tasklist\.exe\ \|\ findstr\ |whoami\ /all\ \|\ find\ |whoami\ /all\ \|\ findstr\ |whoami\.exe\ /all\ \|\ find\ |whoami\.exe\ /all\ \|\ findstr\ )</field>
    </rule>
    <rule id="901176" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Finger.exe Suspicious Invocation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:finger\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+finger\.exe)$</field>
    </rule>
    <rule id="901177" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Filter Driver Unloaded Via Fltmc.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fltMC\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:fltMC\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)unload</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:unload\ rtp_filesystem_filter)$</field>
    </rule>
    <rule id="901178" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Forfiles.EXE Child Process Masquerading</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.exe|\.exe")$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:/c\ echo\ ")</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+forfiles\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
    </rule>
    <rule id="901179" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Arbitrary File Download Via GfxDownloadWrapper.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+GfxDownloadWrapper\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http://|https://</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)https://gameplayapi\.intel\.com/</field>
    </rule>
    <rule id="901180" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious GoogleUpdate Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+GoogleUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Google</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+setup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:chrome_updater\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:chrome_installer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901181" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Portable Gpg.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpg\.exe|\\+gpg2\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:gpg\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:GnuPGвЂ™s\ OpenPGP\ tool)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+GNU\\+GnuPG\\+bin\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+GnuPG\ VS\-Desktop\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+GnuPG\\+bin\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Gpg4win\\+bin\\+</field>
    </rule>
    <rule id="901182" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1615</id>
        </mitre>
        <description>Gpresult Display Group Policy Information</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpresult\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/z|/v</field>
    </rule>
    <rule id="901183" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Arbitrary Binary Execution Using GUP Utility</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+gup\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Notepad\+\+\\+notepad\+\+\.exe</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Notepad\+\+\\+updater\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901184" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>File Download Using Notepad++ GUP Utility</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+GUP\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:gup\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-unzipTo\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+notepad\+\+\.exe)$</field>
    </rule>
    <rule id="901185" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Suspicious GUP Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Program\ Files\ $x86$\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Roaming\\+Notepad\+\+\\+updater\\+GUP\.exe)$</field>
    </rule>
    <rule id="901186" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.initial_access</id>
            <id>attack.t1047</id>
            <id>attack.t1059.001</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.007</id>
            <id>attack.t1218</id>
            <id>attack.t1218.001</id>
            <id>attack.t1218.010</id>
            <id>attack.t1218.011</id>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>HTML Help HH.EXE Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+hh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CertReq\.exe|\\+CertUtil\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+installutil\.exe|\\+MSbuild\.exe|\\+MSHTA\.EXE|\\+msiexec\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901187" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>HackTool - ADCSPwn Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-adcs\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-port\ )</field>
    </rule>
    <rule id="901188" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)SharpHound</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)SharpHound</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)SpecterOps|evil\ corp</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Bloodhound\.exe|\\+SharpHound\.exe</field>
    </rule>
    <rule id="901189" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-CollectionMethod\ All\ |\ \-\-CollectionMethods\ Session\ |\ \-\-Loop\ \-\-Loopduration\ |\ \-\-PortScanTimeout\ |\.exe\ \-c\ All\ \-d\ |Invoke\-Bloodhound|Get\-BloodHoundData</field>
    </rule>
    <rule id="901190" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-JsonFolder\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ZipFileName\ )</field>
    </rule>
    <rule id="901191" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Bloodhound/Sharphound Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ DCOnly\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-NoSaveCache\ )</field>
    </rule>
    <rule id="901192" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>HackTool - F-Secure C3 Load by Rundll32</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)StartNodeRelay</field>
    </rule>
    <rule id="901193" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certify.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>HackTool - Certify Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Certify\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Certify\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Certify</field>
    </rule>
    <rule id="901194" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.credential_access</id>
            <id>attack.t1649</id>
        </mitre>
        <description>HackTool - Certipy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Certipy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Certipy\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Certipy</field>
    </rule>
    <rule id="901195" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\.exe\ /C\ whoami)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Temp\\+)</field>
    </rule>
    <rule id="901196" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+runonce\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /c\ echo</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)&gt;\ \\+\.\\+pipe</field>
    </rule>
    <rule id="901197" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /C\ echo</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\ &gt;\ \\+\.\\+pipe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:conhost\.exe\ 0xffffffff\ \-ForceV1)$</field>
    </rule>
    <rule id="901198" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Potential CobaltStrike Process Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:/C\ whoami)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:conhost\.exe\ 0xffffffff\ \-ForceV1)$</field>
    </rule>
    <rule id="901199" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CoercedPotato\.exe)$</field>
    </rule>
    <rule id="901200" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-exploitId\ )</field>
    </rule>
    <rule id="901201" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - CoercedPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:a75d7669db6b2e107a44c4057ff7f7d6|f91624350e2c678c5dcbe5e1f24e22c9|14c81850a079a87e83d50ca41c709a15)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6|IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9|IMPHASH=14C81850A079A87E83D50CA41C709A15)$</field>
    </rule>
    <rule id="901202" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.001</id>
            <id>attack.t1564.003</id>
        </mitre>
        <description>HackTool - Covenant PowerShell Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Sta</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Nop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Window</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Command|\-EncodedCommand</field>
    </rule>
    <rule id="901203" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.001</id>
            <id>attack.t1564.003</id>
        </mitre>
        <description>HackTool - Covenant PowerShell Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)sv\ o\ $New\-Object\ IO\.MemorySteam$;sv\ d\ |mshta\ file\.hta|GruntHTTP|\-EncodedCommand\ cwB2ACAAbwAgA</field>
    </rule>
    <rule id="901204" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+crackmapexec\.exe)$</field>
    </rule>
    <rule id="901205" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-M\ pe_inject\ )</field>
    </rule>
    <rule id="901206" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-local\-auth</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-x\ )</field>
    </rule>
    <rule id="901207" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-local\-auth</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-H\ 'NTHASH'</field>
    </rule>
    <rule id="901208" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ mssql\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-M\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-d\ )</field>
    </rule>
    <rule id="901209" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ smb\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-H\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-M\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-o\ )</field>
    </rule>
    <rule id="901210" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.t1110</id>
            <id>attack.t1201</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ smb\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-local\-auth</field>
    </rule>
    <rule id="901211" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1053</id>
            <id>attack.t1059.003</id>
            <id>attack.t1059.001</id>
            <id>attack.s0106</id>
        </mitre>
        <description>HackTool - CrackMapExec Execution Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\.exe\ /Q\ /c\ .+\ 1&gt;\ \\+.+\\+.+\\+.+\ 2&gt;\&amp;1|cmd\.exe\ /C\ .+\ &gt;\ \\+.+\\+.+\\+.+\ 2&gt;\&amp;1|cmd\.exe\ /C\ .+\ &gt;\ .+\\+Temp\\+.+\ 2&gt;\&amp;1|powershell\.exe\ \-exec\ bypass\ \-noni\ \-nop\ \-w\ 1\ \-C\ "|powershell\.exe\ \-noni\ \-nop\ \-w\ 1\ \-enc\ )</field>
    </rule>
    <rule id="901212" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CrackMapExec Process Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:tasklist\ /fi\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Imagename\ eq\ lsass\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\.exe\ /c\ |cmd\.exe\ /r\ |cmd\.exe\ /k\ |cmd\ /c\ |cmd\ /r\ |cmd\ /k\ )</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
    </rule>
    <rule id="901213" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CrackMapExec Process Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)do\ rundll32\.exe\ C:\\+windows\\+System32\\+comsvcs\.dll,\ MiniDump</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%%B</field>
    </rule>
    <rule id="901214" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CrackMapExec Process Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tasklist\ /v\ /fo\ csv</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)findstr\ /i\ "lsass"</field>
    </rule>
    <rule id="901215" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - CreateMiniDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CreateMiniDump\.exe)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:4a07f944a83e8a7c2525efa35dd30e2f)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f</field>
    </rule>
    <rule id="901216" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>HackTool - DInjector PowerShell Cradle Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /am51</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /password</field>
    </rule>
    <rule id="901217" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - Dumpert Process Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)09D278F9DE118EF09163C6140255C690</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Dumpert\.dll</field>
    </rule>
    <rule id="901218" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>HackTool - EDRSilencer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+EDRSilencer\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:EDRSilencer\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)EDRSilencer</field>
    </rule>
    <rule id="901219" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Empire PowerShell Launch Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-NoP\ \-sta\ \-NonI\ \-W\ Hidden\ \-Enc\ |\ \-noP\ \-sta\ \-w\ 1\ \-enc\ |\ \-NoP\ \-NonI\ \-W\ Hidden\ \-enc\ |\ \-noP\ \-sta\ \-w\ 1\ \-enc|\ \-enc\ \ SQB|\ \-nop\ \-exec\ bypass\ \-EncodedCommand\ )</field>
    </rule>
    <rule id="901220" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>HackTool - Empire PowerShell UAC Bypass</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-NoP\ \-NonI\ \-w\ Hidden\ \-c\ \$x=\$$\(gp\ HKCU:Software\\+Microsoft\\+Windows\ Update$\.Update\)|\ \-NoP\ \-NonI\ \-c\ \$x=\$$\(gp\ HKCU:Software\\+Microsoft\\+Windows\ Update$\.Update\);</field>
    </rule>
    <rule id="901221" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>HackTool - WinRM Access Via Evil-WinRM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ruby\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-i\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-p\ )</field>
    </rule>
    <rule id="901222" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1588.002</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Hacktool Execution - Imphash</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:bcca3c247b619dcd13c8cdff5f123932|3a19059bd7688cb88e70005f18efc439|bf6223a49e45d99094406777eb6004ba|23867a89c2b8fc733be6cf5ef902f2d1|a37ff327f8d48e8a4d2f757e1b6e70bc|f9a28c458284584a93b14216308d31bd|6118619783fc175bc7ebecff0769b46e|959a83047e80ab68b368fdb3f4c6e4ea|563233bfa169acc7892451f71ad5850a|87575cb7a0e0700eb37f2e3668671a08|13f08707f759af6003837a150a371ba1|1781f06048a7e58b323f0b9259be798b|233f85f2d4bc9d6521a6caae11a1e7f5|24af2584cbf4d60bbe5c6d1b31b3be6d|632969ddf6dbf4e0f53424b75e4b91f2|713c29b396b907ed71a72482759ed757|749a7bb1f0b4c4455949c0b2bf7f9e9f|8628b2608957a6b0c6330ac3de28ce2e|8b114550386e31895dfab371e741123d|94cb940a1a6b65bed4d5a8f849ce9793|9d68781980370e00e0bd939ee5e6c141|b18a1401ff8f444056d29450fbc0a6ce|cb567f9498452721d77a451374955f5f|730073214094cd328547bf1f72289752|17b461a082950fc6332228572138b80c|dc25ee78e2ef4d36faa0badf1e7461c9|819b19d53ca6736448f9325a85736792|829da329ce140d873b4a8bde2cbfaa7e|c547f2e66061a8dffb6f5a3ff63c0a74|0588081ab0e63ba785938467e1b10cca|0d9ec08bac6c07d9987dfd0f1506587c|bc129092b71c89b4d4c8cdf8ea590b29|4da924cf622d039d58bce71cdf05d242|e7a3a5c377e2d29324093377d7db1c66|9a9dbec5c62f0380b4fa5fd31deffedf|af8a3976ad71e5d5fdfb67ddb8dadfce|0c477898bbf137bbd6f2a54e3b805ff4|0ca9f02b537bcea20d4ea5eb1a9fe338|3ab3655e5a14d4eefc547f4781bf7f9e|e6f9d5152da699934b30daab206471f6|3ad59991ccf1d67339b319b15a41b35d|ffdd59e0318b85a3e480874d9796d872|0cf479628d7cc1ea25ec7998a92f5051|07a2d4dcbd6cb2c6a45e6b101f0b6d51|d6d0f80386e1380d05cb78e871bc72b1|38d9e015591bbfd4929e0d0f47fa0055|0e2216679ca6e1094d63322e3412d650|ada161bf41b8e5e9132858cb54cab5fb|2a1bc4913cd5ecb0434df07cb675b798|11083e75553baae21dc89ce8f9a195e4|a23d29c9e566f2fa8ffbb79267f5df80|4a07f944a83e8a7c2525efa35dd30e2f|767637c23bb42cd5d7397cf58b0be688|14c4e4c72ba075e9069ee67f39188ad8|3c782813d4afce07bbfc5a9772acdbdc|7d010c6bb6a3726f327f7e239166d127|89159ba4dd04e4ce5559f132a9964eb3|6f33f4a5fc42b8cec7314947bd13f30f|5834ed4291bdeb928270428ebbaf7604|5a8a8a43f25485e7ee1b201edcbc7a38|dc7d30b90b2d8abf664fbed2b1b59894|41923ea1f824fe63ea5beb84db7a3e74|3de09703c8e79ed2ca3f01074719906b|a53a02b997935fd8eedcb5f7abab9b9f|e96a73c7bf33a464c510ede582318bf2|32089b8851bbf8bc2d014e9f37288c83|09D278F9DE118EF09163C6140255C690|03866661686829d806989e2fc5a72606|e57401fbdadcd4571ff385ab82bd5d6d|84B763C45C0E4A3E7CA5548C710DB4EE|19584675d94829987952432e018d5056|330768a4f172e10acb6287b87289d83b|885c99ccfbe77d1cbfcb9c4e7c1a3313|22a22bc9e4e0d2f189f1ea01748816ac|7fa30e6bb7e8e8a69155636e50bf1b28|96df3a3731912449521f6f8d183279b1|7e6cf3ff4576581271ac8a313b2aab46|51791678f351c03a0eb4e2a7b05c6e17|25ce42b079282632708fc846129e98a5|021bcca20ba3381b11bdde26b4e62f20|59223b5f52d8799d38e0754855cbdf42|81e75d8f1d276c156653d3d8813e4a43|17244e8b6b8227e57fe709ccad421420|5b76da3acdedc8a5cdf23a798b5936b4|cb2b65bb77d995cc1c0e5df1c860133c|40445337761d80cf465136fafb1f63e6|8a790f401b29fa87bc1e56f7272b3aa6|b50199e952c875241b9ce06c971ce3c1)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932|IMPHASH=3A19059BD7688CB88E70005F18EFC439|IMPHASH=bf6223a49e45d99094406777eb6004ba|IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1|IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC|IMPHASH=F9A28C458284584A93B14216308D31BD|IMPHASH=6118619783FC175BC7EBECFF0769B46E|IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA|IMPHASH=563233BFA169ACC7892451F71AD5850A|IMPHASH=87575CB7A0E0700EB37F2E3668671A08|IMPHASH=13F08707F759AF6003837A150A371BA1|IMPHASH=1781F06048A7E58B323F0B9259BE798B|IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5|IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D|IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2|IMPHASH=713C29B396B907ED71A72482759ED757|IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F|IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E|IMPHASH=8B114550386E31895DFAB371E741123D|IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793|IMPHASH=9D68781980370E00E0BD939EE5E6C141|IMPHASH=B18A1401FF8F444056D29450FBC0A6CE|IMPHASH=CB567F9498452721D77A451374955F5F|IMPHASH=730073214094CD328547BF1F72289752|IMPHASH=17B461A082950FC6332228572138B80C|IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9|IMPHASH=819B19D53CA6736448F9325A85736792|IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E|IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74|IMPHASH=0588081AB0E63BA785938467E1B10CCA|IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C|IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29|IMPHASH=4DA924CF622D039D58BCE71CDF05D242|IMPHASH=E7A3A5C377E2D29324093377D7DB1C66|IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF|IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE|IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4|IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338|IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E|IMPHASH=E6F9D5152DA699934B30DAAB206471F6|IMPHASH=3AD59991CCF1D67339B319B15A41B35D|IMPHASH=FFDD59E0318B85A3E480874D9796D872|IMPHASH=0CF479628D7CC1EA25EC7998A92F5051|IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51|IMPHASH=D6D0F80386E1380D05CB78E871BC72B1|IMPHASH=38D9E015591BBFD4929E0D0F47FA0055|IMPHASH=0E2216679CA6E1094D63322E3412D650|IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB|IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798|IMPHASH=11083E75553BAAE21DC89CE8F9A195E4|IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80|IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F|IMPHASH=767637C23BB42CD5D7397CF58B0BE688|IMPHASH=14C4E4C72BA075E9069EE67F39188AD8|IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC|IMPHASH=7D010C6BB6A3726F327F7E239166D127|IMPHASH=89159BA4DD04E4CE5559F132A9964EB3|IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F|IMPHASH=5834ED4291BDEB928270428EBBAF7604|IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38|IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894|IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74|IMPHASH=3DE09703C8E79ED2CA3F01074719906B|IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F|IMPHASH=E96A73C7BF33A464C510EDE582318BF2|IMPHASH=32089B8851BBF8BC2D014E9F37288C83|IMPHASH=09D278F9DE118EF09163C6140255C690|IMPHASH=03866661686829d806989e2fc5a72606|IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d|IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE|IMPHASH=19584675D94829987952432E018D5056|IMPHASH=330768A4F172E10ACB6287B87289D83B|IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313|IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC|IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28|IMPHASH=96DF3A3731912449521F6F8D183279B1|IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46|IMPHASH=51791678F351C03A0EB4E2A7B05C6E17|IMPHASH=25CE42B079282632708FC846129E98A5|IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20|IMPHASH=59223B5F52D8799D38E0754855CBDF42|IMPHASH=81E75D8F1D276C156653D3D8813E4A43|IMPHASH=17244E8B6B8227E57FE709CCAD421420|IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4|IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C|IMPHASH=40445337761D80CF465136FAFB1F63E6|IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6|IMPHASH=B50199E952C875241B9CE06C971CE3C1</field>
    </rule>
    <rule id="901223" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1588.002</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Hacktool Execution - PE Metadata</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:Cube0x0)$</field>
    </rule>
    <rule id="901224" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>HackTool - GMER Rootkit Detector and Remover Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gmer\.exe)$</field>
    </rule>
    <rule id="901225" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>HackTool - GMER Rootkit Detector and Remover Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=E9DC058440D321AA17D0600B3CA0AB04|SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57|SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173</field>
    </rule>
    <rule id="901226" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>HackTool - GMER Rootkit Detector and Remover Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:e9dc058440d321aa17d0600b3ca0ab04)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:539c228b6b332f5aa523e5ce358c16647d8bbe57)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173)$</field>
    </rule>
    <rule id="901227" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz LSASS Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+loader\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-pid:</field>
    </rule>
    <rule id="901228" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz LSASS Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:38d9e015591bbfd4929e0d0f47fa0055|0e2216679ca6e1094d63322e3412d650)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:IMPHASH=38D9E015591BBFD4929E0D0F47FA0055|IMPHASH=0E2216679CA6E1094D63322E3412D650)$</field>
    </rule>
    <rule id="901229" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - HandleKatz LSASS Dumper Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-pid:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-outfile:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp|lsass|\.obf|dump</field>
    </rule>
    <rule id="901230" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.002</id>
        </mitre>
        <description>HackTool - Hashcat Password Cracker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+hashcat\.exe)$</field>
    </rule>
    <rule id="901231" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110.002</id>
        </mitre>
        <description>HackTool - Hashcat Password Cracker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-a\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-m\ 1000\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-r\ )</field>
    </rule>
    <rule id="901232" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
            <id>attack.s0040</id>
        </mitre>
        <description>HackTool - Htran/NATBypass Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+htran\.exe|\\+lcx\.exe)$</field>
    </rule>
    <rule id="901233" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
            <id>attack.s0040</id>
        </mitre>
        <description>HackTool - Htran/NATBypass Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ \-tran\ |\.exe\ \-slave\ )</field>
    </rule>
    <rule id="901234" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1110</id>
            <id>attack.t1110.001</id>
        </mitre>
        <description>HackTool - Hydra Password Bruteforce Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\^USER\^|\^PASS\^</field>
    </rule>
    <rule id="901235" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>HackTool - Potential Impacket Lateral Movement Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wmiprvse\.exe|\\+mmc\.exe|\\+explorer\.exe|\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Q</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+127\.0\.0\.1\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;1</field>
    </rule>
    <rule id="901236" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>HackTool - Potential Impacket Lateral Movement Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)svchost\.exe\ \-k\ netsvcs|taskeng\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/C</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Windows\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;1</field>
    </rule>
    <rule id="901237" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>HackTool - Impacket Tools Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+goldenPac|\\+karmaSMB|\\+kintercept|\\+ntlmrelayx|\\+rpcdump|\\+samrdump|\\+secretsdump|\\+smbexec|\\+smbrelayx|\\+wmiexec|\\+wmipersist</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+atexec_windows\.exe|\\+dcomexec_windows\.exe|\\+dpapi_windows\.exe|\\+findDelegation_windows\.exe|\\+GetADUsers_windows\.exe|\\+GetNPUsers_windows\.exe|\\+getPac_windows\.exe|\\+getST_windows\.exe|\\+getTGT_windows\.exe|\\+GetUserSPNs_windows\.exe|\\+ifmap_windows\.exe|\\+mimikatz_windows\.exe|\\+netview_windows\.exe|\\+nmapAnswerMachine_windows\.exe|\\+opdump_windows\.exe|\\+psexec_windows\.exe|\\+rdp_check_windows\.exe|\\+sambaPipe_windows\.exe|\\+smbclient_windows\.exe|\\+smbserver_windows\.exe|\\+sniff_windows\.exe|\\+sniffer_windows\.exe|\\+split_windows\.exe|\\+ticketer_windows\.exe)$</field>
    </rule>
    <rule id="901238" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - Impersonate Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)impersonate\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ list\ |\ exec\ |\ adduser\ )</field>
    </rule>
    <rule id="901239" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - Impersonate Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=9520714AB576B0ED01D1513691377D01|SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A|IMPHASH=0A358FFC1697B7A07D0E817AC740DF62</field>
    </rule>
    <rule id="901240" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - Impersonate Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:9520714AB576B0ED01D1513691377D01)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:0A358FFC1697B7A07D0E817AC740DF62)$</field>
    </rule>
    <rule id="901241" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - Inveigh Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Inveigh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:\\+Inveigh\.exe|\\+Inveigh\.dll)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Inveigh)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-SpooferIP|\ \-ReplyToIPs\ |\ \-ReplyToDomains\ |\ \-ReplyToMACs\ |\ \-SnifferIP</field>
    </rule>
    <rule id="901242" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation CLIP+ Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clipboard\]::</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="901243" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Obfuscated IEX Invocation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$env:ComSpec\[(\s*\d{1,3}\s*,){2}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).+mdr.+\W\s*\)\.Name</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$VerbosePreference\.ToString\(</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[String\]\s*\$VerbosePreference</field>
    </rule>
    <rule id="901244" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR+ Launcher</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)"set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c|/r</field>
    </rule>
    <rule id="901245" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation COMPRESS OBFUSCATION</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)text\.encoding\]::ascii</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)system\.io\.compression\.deflatestream|system\.io\.streamreader|readtoend\(</field>
    </rule>
    <rule id="901246" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Stdin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)environment|invoke|input</field>
    </rule>
    <rule id="901247" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use Clip</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clip</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clipboard|invoke|i`|n`|v`|o`|k`|e`</field>
    </rule>
    <rule id="901248" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation Via Use MSHTA</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)vbscript:createobject</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)$window\.close$</field>
    </rule>
    <rule id="901249" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;\&amp;set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\{0\}|\{1\}|\{2\}|\{3\}|\{4\}|\{5\}</field>
    </rule>
    <rule id="901250" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>HackTool - Jlaive In-Memory Assembly Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xcopy\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat\.exe</field>
    </rule>
    <rule id="901251" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>HackTool - Jlaive In-Memory Assembly Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xcopy\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)pwsh\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat\.exe</field>
    </rule>
    <rule id="901252" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>HackTool - Jlaive In-Memory Assembly Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\.bat)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+attrib\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\+s</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\+h</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.bat\.exe</field>
    </rule>
    <rule id="901253" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+KrbRelay\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:KrbRelay\.exe)$</field>
    </rule>
    <rule id="901254" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-spn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-clsid\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-rbcd\ )</field>
    </rule>
    <rule id="901255" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shadowcred</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clsid</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)spn</field>
    </rule>
    <rule id="901256" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
        </mitre>
        <description>HackTool - KrbRelay Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:spn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:session\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:clsid\ )</field>
    </rule>
    <rule id="901257" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+KrbRelayUp\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:KrbRelayUp\.exe)$</field>
    </rule>
    <rule id="901258" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ relay\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-Domain\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ComputerName\ )</field>
    </rule>
    <rule id="901259" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ krbscm\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-sc\ )</field>
    </rule>
    <rule id="901260" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - KrbRelayUp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ spawn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-cn\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-cp\ )</field>
    </rule>
    <rule id="901261" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+LocalPotato\.exe)$</field>
    </rule>
    <rule id="901262" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-i\ C:\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-o\ Windows\\+</field>
    </rule>
    <rule id="901263" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=E1742EE971D6549E8D4D81115F88F1FC|IMPHASH=DD82066EFBA94D7556EF582F247C8BB5</field>
    </rule>
    <rule id="901264" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>cve.2023.21746</id>
        </mitre>
        <description>HackTool - LocalPotato Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:E1742EE971D6549E8D4D81115F88F1FC|DD82066EFBA94D7556EF582F247C8BB5)$</field>
    </rule>
    <rule id="901265" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Potential Meterpreter/CobaltStrike Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)echo</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+pipe\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd|%COMSPEC%</field>
    </rule>
    <rule id="901266" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Potential Meterpreter/CobaltStrike Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dll,a</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/p:</field>
    </rule>
    <rule id="901267" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.002</id>
        </mitre>
        <description>Potential Meterpreter/CobaltStrike Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)MpCmdRun</field>
    </rule>
    <rule id="901268" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>HackTool - Mimikatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DumpCreds|mimikatz</field>
    </rule>
    <rule id="901269" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>HackTool - Mimikatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::aadcookie|::detours|::memssp|::mflt|::ncroutemon|::ngcsign|::printnightmare|::skeleton|::preshutdown|::mstsc|::multirdp</field>
    </rule>
    <rule id="901270" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.t1003.002</id>
            <id>attack.t1003.004</id>
            <id>attack.t1003.005</id>
            <id>attack.t1003.006</id>
        </mitre>
        <description>HackTool - Mimikatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rpc::|token::|crypto::|dpapi::|sekurlsa::|kerberos::|lsadump::|privilege::|process::|vault::</field>
    </rule>
    <rule id="901271" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PCHunter64\.exe|\\+PCHunter32\.exe)$</field>
    </rule>
    <rule id="901272" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PCHunter\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Epoolsoft\ Windows\ Information\ View\ Tools)$</field>
    </rule>
    <rule id="901273" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA1=5F1CBC3D99558307BC1250D084FA968521482025|MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7|SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32|IMPHASH=444D210CEA1FF8112F256A4997EED7FF|SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB|MD5=228DD0C2E6287547E26FFBD973A40F14|SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C|IMPHASH=0479F44DF47CFA2EF1CCC4416A538663</field>
    </rule>
    <rule id="901274" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
            <id>attack.t1057</id>
            <id>attack.t1012</id>
            <id>attack.t1083</id>
            <id>attack.t1007</id>
        </mitre>
        <description>HackTool - PCHunter Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:228dd0c2e6287547e26ffbd973a40f14|987b65cd9b9f4e9a1afd8f8b48cf64a7)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:5f1cbc3d99558307bc1250d084fa968521482025|3fb89787cb97d902780da080545584d97fb1c2eb)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32|55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:444d210cea1ff8112f256a4997eed7ff|0479f44df47cfa2ef1ccc4416a538663)$</field>
    </rule>
    <rule id="901275" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.s0111</id>
            <id>attack.g0022</id>
            <id>attack.g0060</id>
            <id>car.2013-08-001</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>HackTool - Default PowerSploit/Empire Scheduled Task Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell\.exe\ \-NonI</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/TN\ Updater\ /TR</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/SC\ ONLOGON|/SC\ DAILY\ /ST|/SC\ ONIDLE|/SC\ HOURLY</field>
    </rule>
    <rule id="901276" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>HackTool - PowerTool Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PowerTool\.exe|\\+PowerTool64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerTool\.exe)$</field>
    </rule>
    <rule id="901277" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1587</id>
            <id>attack.resource_development</id>
        </mitre>
        <description>HackTool - PurpleSharp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+purplesharp</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PurpleSharp\.exe)$</field>
    </rule>
    <rule id="901278" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1587</id>
            <id>attack.resource_development</id>
        </mitre>
        <description>HackTool - PurpleSharp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)xyz123456\.exe|PurpleSharp</field>
    </rule>
    <rule id="901279" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>HackTool - Pypykatz Credentials Dumping Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pypykatz\.exe|\\+python\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)live</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)registry</field>
    </rule>
    <rule id="901280" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>HackTool - Quarks PwDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+QuarksPwDump\.exe)$</field>
    </rule>
    <rule id="901281" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>HackTool - Quarks PwDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:\ \-dhl|\ \-\-dump\-hash\-local|\ \-dhdc|\ \-\-dump\-hash\-domain\-cached|\ \-\-dump\-bitlocker|\ \-dhd\ |\ \-\-dump\-hash\-domain\ |\-\-ntds\-file)$</field>
    </rule>
    <rule id="901282" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1106</id>
            <id>attack.t1059.003</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>HackTool - RedMimicry Winnti Playbook Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)gthread\-3\.6\.dll|\\+Windows\\+Temp\\+tmp\.bat|sigcmm\-2\.4\.dll</field>
    </rule>
    <rule id="901283" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)PetitPotam|RottenPotato|HotPotato|JuicyPotato|\\+just_dce_|Juicy\ Potato|\\+temp\\+rot\.exe|\\+Potato\.exe|\\+SpoolSample\.exe|\\+Responder\.exe|\\+smbrelayx|\\+ntlmrelayx|\\+LocalPotato</field>
    </rule>
    <rule id="901284" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Invoke\-Tater|\ smbrelay|\ ntlmrelay|cme\ smb\ |\ /ntlm:NTLMhash\ |Invoke\-PetitPotam|\.exe\ \-t\ .+\ \-p\ )</field>
    </rule>
    <rule id="901285" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-c\ "\{</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\}"\ \-z)$</field>
    </rule>
    <rule id="901286" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1557.001</id>
        </mitre>
        <description>Potential SMB Relay Attack Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)HotPotatoes6</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)HotPotatoes7</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:HotPotatoes\ )</field>
    </rule>
    <rule id="901287" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1558.003</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1550.003</id>
        </mitre>
        <description>HackTool - Rubeus Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Rubeus\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Rubeus\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Rubeus)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)asreproast\ |dump\ /service:krbtgt\ |dump\ /luid:0x|kerberoast\ |createnetonly\ /program:|ptt\ /ticket:|/impersonateuser:|renew\ /ticket:|asktgt\ /user:|harvest\ /interval:|s4u\ /user:|s4u\ /ticket:|hash\ /password:|golden\ /aes256:|silver\ /user:</field>
    </rule>
    <rule id="901288" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - SafetyKatz Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SafetyKatz\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SafetyKatz\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:SafetyKatz)$</field>
    </rule>
    <rule id="901289" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
        </mitre>
        <description>HackTool - SecurityXploded Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:SecurityXploded)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:PasswordDump\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)(?:PasswordDump\.exe)$</field>
    </rule>
    <rule id="901290" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.004</id>
        </mitre>
        <description>HackTool - PPID Spoofing SelectMyParent Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SelectMyParent\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:PPID\-spoof|ppid_spoof|spoof\-ppid|spoof_ppid|ppidspoof|spoofppid|spoofedppid|\ \-spawnto\ )</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)PPID\-spoof|ppid_spoof|spoof\-ppid|spoof_ppid|ppidspoof|spoofppid|spoofedppid</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:SelectMyParent)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:04d974875bd225f00902b4cad9af3fbc|a782af154c9e743ddf3f3eb2b8f3d16e|89059503d7fbf470e68f7e63313da3ad|ca28337632625c8281ab8a130b3d6bad)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=04D974875BD225F00902B4CAD9AF3FBC|IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E|IMPHASH=89059503D7FBF470E68F7E63313DA3AD|IMPHASH=CA28337632625C8281AB8A130B3D6BAD</field>
    </rule>
    <rule id="901291" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharPersist\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:SharPersist)$</field>
    </rule>
    <rule id="901292" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ schtask\ \-c\ |\ \-t\ startupfolder\ \-c\ )</field>
    </rule>
    <rule id="901293" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ reg\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m\ add</field>
    </rule>
    <rule id="901294" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ service\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m\ add</field>
    </rule>
    <rule id="901295" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
        </mitre>
        <description>HackTool - SharPersist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-t\ schtask\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m\ add</field>
    </rule>
    <rule id="901296" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>HackTool - SharpEvtMute Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpEvtMute\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:SharpEvtMute)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-Filter\ "rule\ |\-\-Encoded\ \-\-Filter\ \\+"</field>
    </rule>
    <rule id="901297" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>HackTool - SharpLdapWhoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpLdapWhoami\.exe)$</field>
    </rule>
    <rule id="901298" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>HackTool - SharpLdapWhoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)SharpLdapWhoami</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:SharpLdapWhoami)$</field>
    </rule>
    <rule id="901299" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>HackTool - SharpLdapWhoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /method:ntlm|\ /method:kerb|\ /method:nego|\ /m:nego|\ /m:ntlm|\ /m:kerb)$</field>
    </rule>
    <rule id="901300" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>HackTool - SharpMove Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpMove\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SharpMove\.exe)$</field>
    </rule>
    <rule id="901301" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1615</id>
            <id>attack.t1569.002</id>
            <id>attack.t1574.005</id>
        </mitre>
        <description>HackTool - SharpUp PrivEsc Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpUp\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:SharpUp)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HijackablePaths|UnquotedServicePath|ProcessDLLHijack|ModifiableServiceBinaries|ModifiableScheduledTask|DomainGPPPassword|CachedGPPPassword</field>
    </rule>
    <rule id="901302" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1049</id>
            <id>attack.t1069.002</id>
            <id>attack.t1482</id>
            <id>attack.t1135</id>
            <id>attack.t1033</id>
        </mitre>
        <description>HackTool - SharpView Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SharpView\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpView\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-RemoteConnection|Convert\-ADName|ConvertFrom\-SID|ConvertFrom\-UACValue|Convert\-SidToName|Export\-PowerViewCSV|Find\-DomainObjectPropertyOutlier|Find\-DomainProcess|Find\-DomainShare|Find\-DomainUserEvent|Find\-DomainUserLocation|Find\-ForeignGroup|Find\-ForeignUser|Find\-GPOComputerAdmin|Find\-GPOLocation|Find\-Interesting|Find\-LocalAdminAccess|Find\-ManagedSecurityGroups|Get\-CachedRDPConnection|Get\-DFSshare|Get\-DomainComputer|Get\-DomainController|Get\-DomainDFSShare|Get\-DomainDNSRecord|Get\-DomainFileServer|Get\-DomainForeign|Get\-DomainGPO|Get\-DomainGroup|Get\-DomainGUIDMap|Get\-DomainManagedSecurityGroup|Get\-DomainObject|Get\-DomainOU|Get\-DomainPolicy|Get\-DomainSID|Get\-DomainSite|Get\-DomainSPNTicket|Get\-DomainSubnet|Get\-DomainTrust|Get\-DomainUserEvent|Get\-ForestDomain|Get\-ForestGlobalCatalog|Get\-ForestTrust|Get\-GptTmpl|Get\-GroupsXML|Get\-LastLoggedOn|Get\-LoggedOnLocal|Get\-NetComputer|Get\-NetDomain|Get\-NetFileServer|Get\-NetForest|Get\-NetGPO|Get\-NetGroupMember|Get\-NetLocalGroup|Get\-NetLoggedon|Get\-NetOU|Get\-NetProcess|Get\-NetRDPSession|Get\-NetSession|Get\-NetShare|Get\-NetSite|Get\-NetSubnet|Get\-NetUser|Get\-PathAcl|Get\-PrincipalContext|Get\-RegistryMountedDrive|Get\-RegLoggedOn|Get\-WMIRegCachedRDPConnection|Get\-WMIRegLastLoggedOn|Get\-WMIRegMountedDrive|Get\-WMIRegProxy|Invoke\-ACLScanner|Invoke\-CheckLocalAdminAccess|Invoke\-Kerberoast|Invoke\-MapDomainTrust|Invoke\-RevertToSelf|Invoke\-Sharefinder|Invoke\-UserImpersonation|Remove\-DomainObjectAcl|Remove\-RemoteConnection|Request\-SPNTicket|Set\-DomainObject|Test\-AdminAccess</field>
    </rule>
    <rule id="901303" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>HackTool - SharpChisel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpChisel\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:SharpChisel)$</field>
    </rule>
    <rule id="901304" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - SharpImpersonation Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpImpersonation\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SharpImpersonation\.exe)$</field>
    </rule>
    <rule id="901305" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1134.001</id>
            <id>attack.t1134.003</id>
        </mitre>
        <description>HackTool - SharpImpersonation Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ user:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ binary:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ user:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ shellcode:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ technique:CreateProcessAsUserW|\ technique:ImpersonateLoggedOnuser</field>
    </rule>
    <rule id="901306" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>HackTool - SharpLDAPmonitor Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SharpLDAPmonitor\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SharpLDAPmonitor\.exe)$</field>
    </rule>
    <rule id="901307" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>HackTool - SharpLDAPmonitor Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/user:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/pass:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/dcip:</field>
    </rule>
    <rule id="901308" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071</id>
        </mitre>
        <description>HackTool - SILENTTRINITY Stager Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)st2stager</field>
    </rule>
    <rule id="901309" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>HackTool - Sliver C2 Implant Activity Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-NoExit\ \-Command\ \[Console\]::OutputEncoding=\[Text\.UTF8Encoding\]::UTF8</field>
    </rule>
    <rule id="901310" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>HackTool - Stracciatella Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Stracciatella\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Stracciatella\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Stracciatella)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956|SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956|fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a)$</field>
    </rule>
    <rule id="901311" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2022.41120</id>
            <id>attack.t1068</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>HackTool - SysmonEOP Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SysmonEOP\.exe)$</field>
    </rule>
    <rule id="901312" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml</info>
        
        
        
        
        
        <mitre>
            <id>cve.2022.41120</id>
            <id>attack.t1068</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>HackTool - SysmonEOP Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5|IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:22f4089eb8aba31e1bb162c6d9bf72e5|5123fa4c4384d431cd0d893eeb49bbec)$</field>
    </rule>
    <rule id="901313" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
        </mitre>
        <description>HackTool - TruffleSnout Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:TruffleSnout\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+TruffleSnout\.exe)$</field>
    </rule>
    <rule id="901314" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:UACMe)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:REvol\ Corp|APT\ 92|UG\ North|Hazardous\ Environments|CD\ Project\ Rekt)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:UACMe\ main\ module|Pentesting\ utility)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Akagi\.exe|Akagi64\.exe)$</field>
    </rule>
    <rule id="901315" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Akagi64\.exe|\\+Akagi\.exe)$</field>
    </rule>
    <rule id="901316" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=767637C23BB42CD5D7397CF58B0BE688|IMPHASH=14C4E4C72BA075E9069EE67F39188AD8|IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC|IMPHASH=7D010C6BB6A3726F327F7E239166D127|IMPHASH=89159BA4DD04E4CE5559F132A9964EB3|IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F|IMPHASH=5834ED4291BDEB928270428EBBAF7604|IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38|IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894|IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74|IMPHASH=3DE09703C8E79ED2CA3F01074719906B</field>
    </rule>
    <rule id="901317" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>HackTool - UACMe Akagi Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:767637c23bb42cd5d7397cf58b0be688|14c4e4c72ba075e9069ee67f39188ad8|3c782813d4afce07bbfc5a9772acdbdc|7d010c6bb6a3726f327f7e239166d127|89159ba4dd04e4ce5559f132a9964eb3|6f33f4a5fc42b8cec7314947bd13f30f|5834ed4291bdeb928270428ebbaf7604|5a8a8a43f25485e7ee1b201edcbc7a38|dc7d30b90b2d8abf664fbed2b1b59894|41923ea1f824fe63ea5beb84db7a3e74|3de09703c8e79ed2ca3f01074719906b)$</field>
    </rule>
    <rule id="901318" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>HackTool - Windows Credential Editor (WCE) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:a53a02b997935fd8eedcb5f7abab9b9f|e96a73c7bf33a464c510ede582318bf2)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f|IMPHASH=e96a73c7bf33a464c510ede582318bf2</field>
    </rule>
    <rule id="901319" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>HackTool - Windows Credential Editor (WCE) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ \-S)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe)$</field>
    </rule>
    <rule id="901320" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>HackTool - Windows Credential Editor (WCE) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+clussvc\.exe)$</field>
    </rule>
    <rule id="901321" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:winPEAS\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winPEASany_ofs\.exe|\\+winPEASany\.exe|\\+winPEASx64_ofs\.exe|\\+winPEASx64\.exe|\\+winPEASx86_ofs\.exe|\\+winPEASx86\.exe)$</field>
    </rule>
    <rule id="901322" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ applicationsinfo|\ browserinfo|\ eventsinfo|\ fileanalysis|\ filesinfo|\ processinfo|\ servicesinfo|\ windowscreds</field>
    </rule>
    <rule id="901323" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https://github\.com/carlospolop/PEASS\-ng/releases/latest/download/</field>
    </rule>
    <rule id="901324" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1082</id>
            <id>attack.t1087</id>
            <id>attack.t1046</id>
        </mitre>
        <description>HackTool - winPEAS Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\ \-linpeas)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-linpeas)$</field>
    </rule>
    <rule id="901325" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1046</id>
            <id>attack.t1082</id>
            <id>attack.t1106</id>
            <id>attack.t1518</id>
            <id>attack.t1548.002</id>
            <id>attack.t1552.001</id>
            <id>attack.t1555</id>
            <id>attack.t1555.003</id>
        </mitre>
        <description>HackTool - WinPwn Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Offline_Winpwn|WinPwn\ |WinPwn\.exe|WinPwn\.ps1</field>
    </rule>
    <rule id="901326" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>HackTool - Wmiexec Default Powershell Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-NoP\ \-NoL\ \-sta\ \-NonI\ \-W\ Hidden\ \-Exec\ Bypass\ \-Enc</field>
    </rule>
    <rule id="901327" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>HackTool - XORDump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xordump\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-process\ lsass\.exe\ |\ \-m\ comsvcs\ |\ \-m\ dbghelp\ |\ \-m\ dbgcore\ )</field>
    </rule>
    <rule id="901328" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious ZipExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/generic:Microsoft_Windows_Shell_ZipFolder:filename=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.zip</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/pass:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/user:</field>
    </rule>
    <rule id="901329" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious ZipExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Microsoft_Windows_Shell_ZipFolder:filename=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.zip</field>
    </rule>
    <rule id="901330" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Execution of Hostname</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+HOSTNAME\.EXE)$</field>
    </rule>
    <rule id="901331" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.t1059.003</id>
            <id>attack.g0032</id>
        </mitre>
        <description>Suspicious HWP Sub Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Hwp\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gbb\.exe)$</field>
    </rule>
    <rule id="901332" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Fake Instance Of Hxtsr.EXE Executed</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+hxtsr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+program\ files\\+windowsapps\\+microsoft\.windowscommunicationsapps_</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+hxtsr\.exe)$</field>
    </rule>
    <rule id="901333" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Microsoft IIS Service Account Password Dumped</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+appcmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:appcmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:list\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /config|\ /xml|\ \-config|\ \-xml</field>
    </rule>
    <rule id="901334" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>IIS Native-Code Module Command Line Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+appcmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:appcmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)install</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)module</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-name:)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+inetsrv\\+iissetup\.exe)$</field>
    </rule>
    <rule id="901335" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.004</id>
        </mitre>
        <description>Suspicious IIS Module Registration</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)appcmd\.exe\ add\ module</field>
    </rule>
    <rule id="901336" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.004</id>
        </mitre>
        <description>Suspicious IIS Module Registration</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ system\.enterpriseservices\.internal\.publish</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
    </rule>
    <rule id="901337" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.004</id>
        </mitre>
        <description>Suspicious IIS Module Registration</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)gacutil</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /I</field>
    </rule>
    <rule id="901338" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>ImagingDevices Unusual Parent/Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe|\\+svchost\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ImagingDevices\.exe)$</field>
    </rule>
    <rule id="901339" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>ImagingDevices Unusual Parent/Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ImagingDevices\.exe)$</field>
    </rule>
    <rule id="901340" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>InfDefaultInstall.exe .inf Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:InfDefaultInstall\.exe\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.inf</field>
    </rule>
    <rule id="901341" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Execution of InstallUtil Without Log</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+InstallUtil\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)Microsoft\.NET\\+Framework</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/logfile=\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/LogToConsole=false</field>
    </rule>
    <rule id="901342" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Shells Spawn by Java Utility Keytool</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+keytool\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+sh\.exe|\\+bash\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+schtasks\.exe|\\+certutil\.exe|\\+whoami\.exe|\\+bitsadmin\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+scrcons\.exe|\\+regsvr32\.exe|\\+hh\.exe|\\+wmic\.exe|\\+mshta\.exe|\\+rundll32\.exe|\\+forfiles\.exe|\\+scriptrunner\.exe|\\+mftrace\.exe|\\+AppVLP\.exe|\\+systeminfo\.exe|\\+reg\.exe|\\+query\.exe)$</field>
    </rule>
    <rule id="901343" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1102</id>
        </mitre>
        <description>Suspicious Child Process Of Manage Engine ServiceDesk</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+ManageEngine\\+ServiceDesk\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+java\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+calc\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+mftrace\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+notepad\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+query\.exe|\\+reg\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+sh\.exe|\\+systeminfo\.exe|\\+whoami\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ stop</field>
    </rule>
    <rule id="901344" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1203</id>
            <id>attack.execution</id>
        </mitre>
        <description>Java Running with Remote Debugging</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)transport=dt_socket,address=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)jre1\.|jdk1\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)address=127\.0\.0\.1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)address=localhost</field>
    </rule>
    <rule id="901345" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Processes Spawned by Java.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bitsadmin\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+mftrace\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+query\.exe|\\+reg\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+systeminfo\.exe|\\+whoami\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901346" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Shell Process Spawned by Java.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)build</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)build</field>
    </rule>
    <rule id="901347" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
        </mitre>
        <description>Suspicious SysAidServer Child</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)SysAidServer</field>
    </rule>
    <rule id="901348" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_kd_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Windows Kernel Debugger Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+kd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:kd\.exe)$</field>
    </rule>
    <rule id="901349" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Active Directory Structure Export Via Ldifde.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ldifde\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ldifde\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-i</field>
    </rule>
    <rule id="901350" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Custom Class Execution via Xwizard</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xwizard\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}</field>
    </rule>
    <rule id="901351" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567</id>
        </mitre>
        <description>Suspicious ConfigSecurityPolicy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ConfigSecurityPolicy\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ConfigSecurityPolicy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ConfigSecurityPolicy\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https://|http://|ftp://</field>
    </rule>
    <rule id="901352" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Suspicious CustomShellHost Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+CustomShellHost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
    </rule>
    <rule id="901353" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055.001</id>
        </mitre>
        <description>ZOHO Dctask64 Process Injection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dctask64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)DesktopCentral_Agent\\+agent</field>
    </rule>
    <rule id="901354" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Lolbin Defaultpack.exe Use As Proxy</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+defaultpack\.exe)$</field>
    </rule>
    <rule id="901355" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>DeviceCredentialDeployment Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DeviceCredentialDeployment\.exe)$</field>
    </rule>
    <rule id="901356" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Devtoolslauncher.exe Executes Specified Binary</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+devtoolslauncher\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchForDeploy</field>
    </rule>
    <rule id="901357" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Suspicious Diantz Alternate Data Stream Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)diantz\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):[^\\+]</field>
    </rule>
    <rule id="901358" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Suspicious Diantz Download and Compress Into a CAB File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)diantz\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
    </rule>
    <rule id="901359" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Xwizard DLL Sideloading</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+xwizard\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
    </rule>
    <rule id="901360" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Application Whitelisting Bypass via Dnx.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dnx\.exe)$</field>
    </rule>
    <rule id="901361" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Dump64.exe Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Installer\\+Feedback\\+dump64\.exe</field>
    </rule>
    <rule id="901362" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Suspicious Dump64.exe Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dump64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-ma\ |accepteula</field>
    </rule>
    <rule id="901363" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious Extexport Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Extexport\.exe</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Extexport\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:extexport\.exe)$</field>
    </rule>
    <rule id="901364" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Suspicious Extrac32 Alternate Data Stream Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)extrac32\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):[^\\+]</field>
    </rule>
    <rule id="901365" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Format.com FileSystem LOLBIN</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+format\.com)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/fs:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:FAT</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:exFAT</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:NTFS</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:UDF</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/fs:ReFS</field>
    </rule>
    <rule id="901366" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Use of FSharp Interpreters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fsianycpu\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:fsianycpu\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+fsi\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:fsi\.exe)$</field>
    </rule>
    <rule id="901367" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>LOLBIN Execution Of The FTP.EXE Binary</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ftp\.exe)$</field>
    </rule>
    <rule id="901368" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Gpscript Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:GPSCRIPT\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /logon|\ /startup</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)^(?:C:\\+windows\\+system32\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ gpsvc)$</field>
    </rule>
    <rule id="901369" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Ie4uinit Lolbin Use From Invalid Path</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ie4uinit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:IE4UINIT\.EXE)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:c:\\+windows\\+system32\\+)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:c:\\+windows\\+sysWOW64\\+)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901370" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Ilasm Lolbin Use Compile C-Sharp</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ilasm\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ilasm\.exe)$</field>
    </rule>
    <rule id="901371" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>JSC Convert Javascript To Executable</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+jsc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.js</field>
    </rule>
    <rule id="901372" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Kavremover Dropped Binary LOLBIN Usage</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ run\ run\-cmd\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+kavremover\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cleanapi\.exe)$</field>
    </rule>
    <rule id="901373" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Potential Manage-bde.wsf Abuse To Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)manage\-bde\.wsf</field>
    </rule>
    <rule id="901374" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Potential Manage-bde.wsf Abuse To Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)manage\-bde\.wsf</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
    </rule>
    <rule id="901375" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.001</id>
            <id>attack.t1218.013</id>
        </mitre>
        <description>Mavinject Inject DLL Into Running Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /INJECTRUNNING\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+AppVClient\.exe)$</field>
    </rule>
    <rule id="901376" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execute Files with Msdeploy.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)verb:sync</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-source:RunCommand</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-dest:runCommand</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdeploy\.exe)$</field>
    </rule>
    <rule id="901377" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Execute MSDT Via Answer File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+WINDOWS\\+diagnostics\\+index\\+PCWDiagnostic\.xml</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-af\ |\ /af\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+pcwrun\.exe)$</field>
    </rule>
    <rule id="901378" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Use of OpenConsole</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:OpenConsole\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OpenConsole\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+Microsoft\.WindowsTerminal)</field>
    </rule>
    <rule id="901379" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>OpenWith.exe Executes Specified Binary</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OpenWith\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/c</field>
    </rule>
    <rule id="901380" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Use of Pcalua For Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pcalua\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-a</field>
    </rule>
    <rule id="901381" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Indirect Command Execution By Program Compatibility Wizard</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+pcwrun\.exe)$</field>
    </rule>
    <rule id="901382" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Execute Pcwrun.EXE To Leverage Follina</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pcwrun\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.\./</field>
    </rule>
    <rule id="901383" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Execute Code with Pester.bat</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Pester</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Help</field>
    </rule>
    <rule id="901384" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Execute Code with Pester.bat</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)pester</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i);</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)help|\\+.</field>
    </rule>
    <rule id="901385" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>PrintBrm ZIP Creation of Extraction</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PrintBrm\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.zip</field>
    </rule>
    <rule id="901386" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216.001</id>
        </mitre>
        <description>Pubprn.vbs Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+pubprn\.vbs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)script:</field>
    </rule>
    <rule id="901387" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>REGISTER_APP.VBS Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+register_app\.vbs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-register</field>
    </rule>
    <rule id="901388" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Use of Remote.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+remote\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:remote\.exe)$</field>
    </rule>
    <rule id="901389" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Replace.exe Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+replace\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-a)</field>
    </rule>
    <rule id="901390" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Lolbin Runexehelper Use As Proxy</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+runexehelper\.exe)$</field>
    </rule>
    <rule id="901391" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Runscripthelper.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Runscripthelper\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)surfacecheck</field>
    </rule>
    <rule id="901392" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Use of Setres.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+setres\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+choice)$</field>
    </rule>
    <rule id="901393" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.008</id>
        </mitre>
        <description>Using SettingSyncHost.exe as LOLBin</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)cmd\.exe\ /c</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)RoamDiag\.cmd</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-outputpath</field>
    </rule>
    <rule id="901394" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Use Of The SFTP.EXE Binary As A LOLBIN</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sftp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-D\ \.\.|\ \-D\ C:\\+</field>
    </rule>
    <rule id="901395" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Sideloading Link.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+link\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LINK\ /</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Visual\ Studio\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+VC\\+Tools\\+MSVC\\+</field>
    </rule>
    <rule id="901396" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Suspicious Sigverif Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sigverif\.exe)$</field>
    </rule>
    <rule id="901397" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Lolbin Ssh.exe Use As Proxy</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+OpenSSH\\+sshd\.exe)$</field>
    </rule>
    <rule id="901398" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Suspicious Driver Install by pnputil.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-i|/install|\-a|/add\-driver|\.inf</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pnputil\.exe)$</field>
    </rule>
    <rule id="901399" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Suspicious GrpConv Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)grpconv\.exe\ \-o|grpconv\ \-o</field>
    </rule>
    <rule id="901400" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Dumping Process via Sqldumper.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sqldumper\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0x0110|0x01100:40</field>
    </rule>
    <rule id="901401" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1216</id>
        </mitre>
        <description>SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+SyncAppvPublishingServer\.vbs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i);</field>
    </rule>
    <rule id="901402" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055.001</id>
        </mitre>
        <description>Potential DLL Injection Or Execution Using Tracker.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tracker\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Tracker)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /d\ |\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /ERRORREPORT:PROMPT\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Msbuild\\+Current\\+Bin\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Msbuild\\+Current\\+Bin\\+amd64\\+MSBuild\.exe)$</field>
    </rule>
    <rule id="901403" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Use of TTDInject.exe</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:ttdinject\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:TTDInject\.EXE)$</field>
    </rule>
    <rule id="901404" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1218</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Time Travel Debugging Utility Usage</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+tttracer\.exe)$</field>
    </rule>
    <rule id="901405" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_type.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Potential Download/Upload Activity Using Type Command</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:type\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ &gt;\ \\+</field>
    </rule>
    <rule id="901406" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_type.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Potential Download/Upload Activity Using Type Command</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)type\ \\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ &gt;\ )</field>
    </rule>
    <rule id="901407" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>UtilityFunctions.ps1 Proxy Dll</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:UtilityFunctions\.ps1|RegSnapin\ )</field>
    </rule>
    <rule id="901408" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Use of VisualUiaVerifyNative.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VisualUiaVerifyNative\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:VisualUiaVerifyNative\.exe)$</field>
    </rule>
    <rule id="901409" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.004</id>
        </mitre>
        <description>Visual Basic Command Line Compiler Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+vbc\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cvtres\.exe)$</field>
    </rule>
    <rule id="901410" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Use of Wfc.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wfc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wfc\.exe)$</field>
    </rule>
    <rule id="901411" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1127</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Microsoft Workflow Compiler Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.Workflow\.Compiler\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Microsoft\.Workflow\.Compiler\.exe)$</field>
    </rule>
    <rule id="901412" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via LSASS Process Clone</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Windows\\+System32\\+lsass\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Windows\\+System32\\+lsass\.exe)$</field>
    </rule>
    <rule id="901413" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Potential Mftrace.EXE Abuse</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+mftrace\.exe)$</field>
    </rule>
    <rule id="901414" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1021.003</id>
        </mitre>
        <description>MMC20 Lateral Movement</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mmc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Embedding</field>
    </rule>
    <rule id="901415" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Suspicious Mofcomp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mofcomp\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:mofcomp\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp|\\+Users\\+Public\\+|\\+WINDOWS\\+Temp\\+|%temp%|%tmp%|%appdata%</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.mof)$</field>
    </rule>
    <rule id="901416" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Suspicious Mofcomp Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mofcomp\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:mofcomp\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp|\\+Users\\+Public\\+|\\+WINDOWS\\+Temp\\+|%temp%|%tmp%|%appdata%</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.mof)$</field>
    </rule>
    <rule id="901417" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Potential Mpclient.DLL Sideloading Via Defender Binaries</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MpCmdRun\.exe|\\+NisSrv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Security\ Client\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Defender\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="901418" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Msbuild Execution By Uncommon Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+MSBuild\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:MSBuild\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+devenv\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msbuild\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+python\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+nuget\.exe)$</field>
    </rule>
    <rule id="901419" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potential Arbitrary Command Execution Using Msdt.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:msdt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)IT_BrowseForFile=</field>
    </rule>
    <rule id="901420" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Wscript Shell Run In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Wscript\.</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.Shell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.Run</field>
    </rule>
    <rule id="901421" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.005</id>
        </mitre>
        <description>Potential LethalHTA Technique Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
    </rule>
    <rule id="901422" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1218.005</id>
            <id>attack.execution</id>
            <id>attack.t1059.007</id>
            <id>cve.2020.1599</id>
        </mitre>
        <description>MSHTA Suspicious Execution 01</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)vbscript|\.jpg|\.png|\.lnk|\.xls|\.doc|\.zip|\.dll</field>
    </rule>
    <rule id="901423" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Suspicious Mshta.EXE Execution Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:MSHTA\.EXE)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+|C:\\+ProgramData\\+|C:\\+Users\\+Public\\+|C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901424" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Suspicious Mshta.EXE Execution Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:MSHTA\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.htm</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.hta</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:mshta\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:mshta)$</field>
    </rule>
    <rule id="901425" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218.007</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious MsiExec Embedding Parent</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)MsiExec\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\-Embedding\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+SplunkUniversalForwarder\\+bin\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+DismFoDInstall\.cmd</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)(?:\\+MsiExec\.exe\ \-Embedding\ )</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)Global\\+MSI0000</field>
    </rule>
    <rule id="901426" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>Suspicious Msiexec Execute Arbitrary DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-y)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\ $x86$\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+ScriptingObjectModel\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+SoftwareUpdateAdmin\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ "C:\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ /Y\ C:\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\ $x86$\\+Bonjour\\+mdnsNSP\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+ScriptingObjectModel\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Program\ Files\ $x86$\\+Apple\ Software\ Update\\+SoftwareUpdateAdmin\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ "C:\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+MsiExec\.exe"\ \-Y\ C:\\+Windows\\+CCM\\+</field>
    </rule>
    <rule id="901427" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
        </mitre>
        <description>Msiexec Quiet Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:msiexec\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-i|\-package|\-a|\-j)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-q)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+CCM\\+Ccm32BitLauncher\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="yes" type="pcre2">(?i)^(?:System)$</field>
    </rule>
    <rule id="901428" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Potential MsiExec Masquerading</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="901429" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.007</id>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>MsiExec Web Install</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ msiexec</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://</field>
    </rule>
    <rule id="901430" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Potential Process Injection Via Msra.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+msra\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:msra\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+arp\.exe|\\+cmd\.exe|\\+net\.exe|\\+netstat\.exe|\\+nslookup\.exe|\\+route\.exe|\\+schtasks\.exe|\\+whoami\.exe)$</field>
    </rule>
    <rule id="901431" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Detection of PowerShell Execution via Sqlps.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlps\.exe)$</field>
    </rule>
    <rule id="901432" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Detection of PowerShell Execution via Sqlps.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sqlps\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sqlps\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+sqlagent\.exe)$</field>
    </rule>
    <rule id="901433" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>SQL Client Tools PowerShell Session Detection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sqltoolsps\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqltoolsps\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:\\+sqltoolsps\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+smss\.exe)$</field>
    </rule>
    <rule id="901434" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Child Process Of SQL Server</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+bitsadmin\.exe|\\+cmd\.exe|\\+netstat\.exe|\\+nltest\.exe|\\+ping\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+sh\.exe|\\+systeminfo\.exe|\\+tasklist\.exe|\\+wsl\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ SQL\ Server\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:DATEV_DBENGINE\\+MSSQL\\+Binn\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+cmd\.exe"\ )</field>
    </rule>
    <rule id="901435" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Child Process Of Veeam Dabatase</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)VEEAMSQL</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+wt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-ex\ |bypass|cscript|DownloadString|http://|https://|mshta|regsvr32|rundll32|wscript|copy\ )</field>
    </rule>
    <rule id="901436" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Child Process Of Veeam Dabatase</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sqlservr\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)VEEAMSQL</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe|\\+netstat\.exe|\\+nltest\.exe|\\+ping\.exe|\\+tasklist\.exe|\\+whoami\.exe)$</field>
    </rule>
    <rule id="901437" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1563.002</id>
        </mitre>
        <description>Potential MSTSC Shadowing Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)noconsentprompt</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shadow:</field>
    </rule>
    <rule id="901438" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>New Remote Desktop Connection Initiated Via Mstsc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:mstsc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /v:</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+lxss\\+wslhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+WSL\\+wslg\.rdp</field>
    </rule>
    <rule id="901439" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Mstsc.EXE Execution With Local RDP File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+mstsc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:mstsc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.rdp|\.rdp")$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+lxss\\+wslhost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+Microsoft\\+WSL\\+wslg\.rdp</field>
    </rule>
    <rule id="901440" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>Msxsl.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msxsl\.exe)$</field>
    </rule>
    <rule id="901441" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>Remote XSL Execution Via Msxsl.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msxsl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="901442" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
            <id>attack.s0246</id>
        </mitre>
        <description>New Firewall Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ firewall\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)advfirewall\ firewall\ add\ rule\ name=Dropbox\ dir=in\ action=allow\ "program=.:\\+Program\ Files\ $x86$\\+Dropbox\\+Client\\+Dropbox\.exe"\ enable=yes\ profile=Any</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)advfirewall\ firewall\ add\ rule\ name=Dropbox\ dir=in\ action=allow\ "program=.:\\+Program\ Files\\+Dropbox\\+Client\\+Dropbox\.exe"\ enable=yes\ profile=Any</field>
    </rule>
    <rule id="901443" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Firewall Rule Deleted Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)firewall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:delete\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Dropbox\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)name=Dropbox</field>
    </rule>
    <rule id="901444" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
            <id>attack.s0108</id>
        </mitre>
        <description>Firewall Disabled via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)firewall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)opmode</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)disable</field>
    </rule>
    <rule id="901445" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
            <id>attack.s0108</id>
        </mitre>
        <description>Firewall Disabled via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)advfirewall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)state</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)off</field>
    </rule>
    <rule id="901446" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New Port Forwarding Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)interface</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)portproxy</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)v4tov4</field>
    </rule>
    <rule id="901447" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New Port Forwarding Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:i\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:a\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:v\ )</field>
    </rule>
    <rule id="901448" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New Port Forwarding Rule Added Via Netsh.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)connectp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)listena</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)c=</field>
    </rule>
    <rule id="901449" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>Suspicious Group And Account Reconnaissance Activity Using Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:net\.exe|net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ group\ |\ localgroup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)domain\ admins|\ administrator|\ administrateur|enterprise\ admins|Exchange\ Trusted\ Subsystem|Remote\ Desktop\ Users|Utilisateurs\ du\ Bureau\ Г \ distance|Usuarios\ de\ escritorio\ remoto|\ /do</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ /add</field>
    </rule>
    <rule id="901450" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Suspicious Manipulation Of Default Accounts Via Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:net\.exe|net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ user\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ JГ¤rjestelmГ¤nvalvoja\ |\ Rendszergazda\ |\ РђРґРјРёРЅРёСЃС‚СЂР°С‚РѕСЂ\ |\ Administrateur\ |\ Administrador\ |\ AdministratГ¶r\ |\ Administrator\ |\ guest\ |\ DefaultAccount\ |\ "JГ¤rjestelmГ¤nvalvoja"\ |\ "Rendszergazda"\ |\ "РђРґРјРёРЅРёСЃС‚СЂР°С‚РѕСЂ"\ |\ "Administrateur"\ |\ "Administrador"\ |\ "AdministratГ¶r"\ |\ "Administrator"\ |\ "guest"\ |\ "DefaultAccount"\ |\ 'JГ¤rjestelmГ¤nvalvoja'\ |\ 'Rendszergazda'\ |\ 'РђРґРјРёРЅРёСЃС‚СЂР°С‚РѕСЂ'\ |\ 'Administrateur'\ |\ 'Administrador'\ |\ 'AdministratГ¶r'\ |\ 'Administrator'\ |\ 'guest'\ |\ 'DefaultAccount'\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)guest</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/active\ no</field>
    </rule>
    <rule id="901451" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1078</id>
        </mitre>
        <description>Password Provided In Command Line Of Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:net\.exe|net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ use\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):.+\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/USER:.+\ .+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ )$</field>
    </rule>
    <rule id="901452" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
        </mitre>
        <description>Share And Session Enumeration Using Net.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:net\.exe|net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)view</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+</field>
    </rule>
    <rule id="901453" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1016</id>
            <id>attack.t1018</id>
            <id>attack.t1482</id>
        </mitre>
        <description>Nltest.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nltest\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:nltestrk\.exe)$</field>
    </rule>
    <rule id="901454" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
        </mitre>
        <description>Potential Arbitrary Code Execution Via Node.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+node\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-e\ |\ \-\-eval\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exec\(</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)net\.socket</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.connect</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)child_process</field>
    </rule>
    <rule id="901455" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1127</id>
            <id>attack.t1059.007</id>
        </mitre>
        <description>Node Process Executions</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Adobe\ Creative\ Cloud\ Experience\\+libs\\+node\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Adobe\ Creative\ Cloud\ Experience\\+js</field>
    </rule>
    <rule id="901456" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087</id>
            <id>attack.t1082</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Network Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)nslookup</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)_ldap\._tcp\.dc\._msdcs\.</field>
    </rule>
    <rule id="901457" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ntdsutil\.exe)$</field>
    </rule>
    <rule id="901458" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Suspicious Driver/DLL Installation Via Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:odbcconf\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:INSTALLDRIVER\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="901459" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Potentially Suspicious DLL Registered Via Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:odbcconf\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:REGSVR\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="901460" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Suspicious Response File Execution Via Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:odbcconf\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-f\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.rsp</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+runonce\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+odbcconf\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.exe\ /E\ /F\ "C:\\+WINDOWS\\+system32\\+odbcconf\.tmp"</field>
    </rule>
    <rule id="901461" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.008</id>
        </mitre>
        <description>Uncommon Child Process Spawned By Odbcconf.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+odbcconf\.exe)$</field>
    </rule>
    <rule id="901462" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Office Document Executed From Trusted Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe|\\+dopus\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+EXCEL\.EXE|\\+POWERPNT\.EXE|\\+WINWORD\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Excel\.exe|POWERPNT\.EXE|WinWord\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+Microsoft\\+Templates|\\+AppData\\+Roaming\\+Microsoft\\+Word\\+Startup\\+|\\+Microsoft\ Office\\+root\\+Templates\\+|\\+Microsoft\ Office\\+Templates\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dotx)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.xltx)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.potx)$</field>
    </rule>
    <rule id="901463" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:bitsadmin\.exe|CertOC\.exe|CertUtil\.exe|Cmd\.Exe|CMSTP\.EXE|cscript\.exe|curl\.exe|HH\.exe|IEExec\.exe|InstallUtil\.exe|javaw\.exe|Microsoft\.Workflow\.Compiler\.exe|msdt\.exe|MSHTA\.EXE|msiexec\.exe|Msxsl\.exe|odbcconf\.exe|pcalua\.exe|PowerShell\.EXE|RegAsm\.exe|RegSvcs\.exe|REGSVR32\.exe|RUNDLL32\.exe|schtasks\.exe|ScriptRunner\.exe|wmic\.exe|WorkFolders\.exe|wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+certoc\.exe|\\+certutil\.exe|\\+cmd\.exe|\\+cmstp\.exe|\\+control\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+ieexec\.exe|\\+installutil\.exe|\\+javaw\.exe|\\+mftrace\.exe|\\+Microsoft\.Workflow\.Compiler\.exe|\\+msbuild\.exe|\\+msdt\.exe|\\+mshta\.exe|\\+msidb\.exe|\\+msiexec\.exe|\\+msxsl\.exe|\\+odbcconf\.exe|\\+pcalua\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regasm\.exe|\\+regsvcs\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+svchost\.exe|\\+verclsid\.exe|\\+wmic\.exe|\\+workfolders\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901464" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.hta|\.vb|\.wsh|\.js|\.ps|\.scr|\.pif|\.bat|\.cmd</field>
    </rule>
    <rule id="901465" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+Users\\+Public\\+|\\+ProgramData\\+|\\+Windows\\+Tasks\\+|\\+Windows\\+Temp\\+|\\+Windows\\+System32\\+Tasks\\+</field>
    </rule>
    <rule id="901466" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1566</id>
            <id>attack.t1566.001</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Suspicious Microsoft OneNote Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+onenote\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\-Embedding)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+FileCoAuth\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\-Embedding)$</field>
    </rule>
    <rule id="901467" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Outlook EnableUnsafeClientMailRules Setting Enabled</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Outlook\\+Security\\+EnableUnsafeClientMailRules</field>
    </rule>
    <rule id="901468" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Suspicious Execution From Outlook Temporary Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Temporary\ Internet\ Files\\+Content\.Outlook\\+</field>
    </rule>
    <rule id="901469" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>Suspicious Outlook Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+mftrace\.exe|\\+msbuild\.exe|\\+msdt\.exe|\\+mshta\.exe|\\+msiexec\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+svchost\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901470" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Remote Child Process From Outlook</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+outlook\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:\\+)</field>
    </rule>
    <rule id="901471" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
            <id>attack.g0046</id>
            <id>car.2013-05-002</id>
        </mitre>
        <description>Suspicious Binary In User Directory Spawned From Office Application</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WINWORD\.EXE|\\+EXCEL\.EXE|\\+POWERPNT\.exe|\\+MSPUB\.exe|\\+VISIO\.exe|\\+MSACCESS\.exe|\\+EQNEDT32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+users\\+)</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Teams\.exe)$</field>
    </rule>
    <rule id="901472" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious Microsoft Office Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+EQNEDT32\.EXE|\\+EXCEL\.EXE|\\+MSACCESS\.EXE|\\+MSPUB\.exe|\\+ONENOTE\.EXE|\\+POWERPNT\.exe|\\+VISIO\.exe|\\+WINWORD\.EXE|\\+wordpad\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:bitsadmin\.exe|CertOC\.exe|CertUtil\.exe|Cmd\.Exe|CMSTP\.EXE|cscript\.exe|curl\.exe|HH\.exe|IEExec\.exe|InstallUtil\.exe|javaw\.exe|Microsoft\.Workflow\.Compiler\.exe|msdt\.exe|MSHTA\.EXE|msiexec\.exe|Msxsl\.exe|odbcconf\.exe|pcalua\.exe|PowerShell\.EXE|RegAsm\.exe|RegSvcs\.exe|REGSVR32\.exe|RUNDLL32\.exe|schtasks\.exe|ScriptRunner\.exe|wmic\.exe|WorkFolders\.exe|wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AppVLP\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+certoc\.exe|\\+certutil\.exe|\\+cmd\.exe|\\+cmstp\.exe|\\+control\.exe|\\+cscript\.exe|\\+curl\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+ieexec\.exe|\\+installutil\.exe|\\+javaw\.exe|\\+mftrace\.exe|\\+Microsoft\.Workflow\.Compiler\.exe|\\+msbuild\.exe|\\+msdt\.exe|\\+mshta\.exe|\\+msidb\.exe|\\+msiexec\.exe|\\+msxsl\.exe|\\+odbcconf\.exe|\\+pcalua\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regasm\.exe|\\+regsvcs\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+svchost\.exe|\\+verclsid\.exe|\\+wmic\.exe|\\+workfolders\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901473" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious Microsoft Office Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+EQNEDT32\.EXE|\\+EXCEL\.EXE|\\+MSACCESS\.EXE|\\+MSPUB\.exe|\\+ONENOTE\.EXE|\\+POWERPNT\.exe|\\+VISIO\.exe|\\+WINWORD\.EXE|\\+wordpad\.exe|\\+wordview\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+|\\+Users\\+Public\\+|\\+ProgramData\\+|\\+Windows\\+Tasks\\+|\\+Windows\\+Temp\\+|\\+Windows\\+System32\\+Tasks\\+</field>
    </rule>
    <rule id="901474" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+OfflineScannerShell\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:OfflineScannerShell\.exe)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Defender\\+Offline\\+)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901475" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1072</id>
        </mitre>
        <description>PDQ Deploy Remote Adminstartion Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:PDQ\ Deploy\ Console)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:PDQ\ Deploy)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:PDQ\.com)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PDQDeployConsole\.exe)$</field>
    </rule>
    <rule id="901476" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Ping Hex IP</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0x</field>
    </rule>
    <rule id="901477" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1040</id>
        </mitre>
        <description>PktMon.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pktmon\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PktMon\.exe)$</field>
    </rule>
    <rule id="901478" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
        </mitre>
        <description>Suspicious Plink Port Forwarding</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Command\-line\ SSH,\ Telnet,\ and\ Rlogin\ client)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-R\ )</field>
    </rule>
    <rule id="901479" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Potential RDP Tunneling Via Plink</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+plink\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):127\.0\.0\.1:3389</field>
    </rule>
    <rule id="901480" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Via .NET Reflection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)System\.Management\.Automation\.AmsiUtils|amsiInitFailed</field>
    </rule>
    <rule id="901481" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Via .NET Reflection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[Ref\]\.Assembly\.GetType</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SetValue$\$null,\$true$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)NonPublic,Static</field>
    </rule>
    <rule id="901482" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI Bypass Using NULL Bits</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)if$0$\{\{\{0\}\}\}'\ \-f\ \$$0\ \-as\ \[char\]$\ \+|\#&lt;NULL&gt;</field>
    </rule>
    <rule id="901483" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1123</id>
        </mitre>
        <description>Audio Capture via PowerShell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:WindowsAudioDevice\-Powershell\-Cmdlet|Toggle\-AudioDevice|Get\-AudioDevice\ |Set\-AudioDevice\ |Write\-AudioDevice\ )</field>
    </rule>
    <rule id="901484" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Encoded PowerShell Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ JAB|\ SUVYI|\ SQBFAFgA|\ aQBlAHgA|\ aWV4I|\ IAA|\ IAB|\ UwB|\ cwB</field>
    </rule>
    <rule id="901485" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Encoded PowerShell Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-ENCOD\ |\ BA\^J\ e\-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-ExecutionPolicy\ remotesigned\ )</field>
    </rule>
    <rule id="901486" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Encoded Command Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.Exe|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e\ |\ \-en\ |\ \-enc\ |\ \-enco</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ JAB|\ SUVYI|\ SQBFAFgA|\ aWV4I|\ IAB|\ PAA|\ aQBlAHgA</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+gc_worker\.exe</field>
    </rule>
    <rule id="901487" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Obfuscated PowerShell Code</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)IAAtAGIAeABvAHIAIAAwAHgA|AALQBiAHgAbwByACAAMAB4A|gAC0AYgB4AG8AcgAgADAAeA|AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg|AuAEkAbgB2AG8AawBlACgAKQAgAHwAI|ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC|AHsAMQB9AHsAMAB9ACIAIAAtAGYAI|B7ADEAfQB7ADAAfQAiACAALQBmAC|AewAxAH0AewAwAH0AIgAgAC0AZgAg|AHsAMAB9AHsAMwB9ACIAIAAtAGYAI|B7ADAAfQB7ADMAfQAiACAALQBmAC|AewAwAH0AewAzAH0AIgAgAC0AZgAg|AHsAMgB9AHsAMAB9ACIAIAAtAGYAI|B7ADIAfQB7ADAAfQAiACAALQBmAC|AewAyAH0AewAwAH0AIgAgAC0AZgAg|AHsAMQB9AHsAMAB9ACcAIAAtAGYAI|B7ADEAfQB7ADAAfQAnACAALQBmAC|AewAxAH0AewAwAH0AJwAgAC0AZgAg|AHsAMAB9AHsAMwB9ACcAIAAtAGYAI|B7ADAAfQB7ADMAfQAnACAALQBmAC|AewAwAH0AewAzAH0AJwAgAC0AZgAg|AHsAMgB9AHsAMAB9ACcAIAAtAGYAI|B7ADIAfQB7ADAAfQAnACAALQBmAC|AewAyAH0AewAwAH0AJwAgAC0AZgAg</field>
    </rule>
    <rule id="901488" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Base64 Encoded FromBase64String Cmdlet</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">::FromBase64String</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA|oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA|6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw</field>
    </rule>
    <rule id="901489" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>PowerShell Base64 Encoded IEX Cmdlet</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">IEX\ \(\[|iex\ \(\[|iex\ \(New|IEX\ \(New|IEX\(\[|iex\(\[|iex\(New|IEX\(New|IEX\(\('|iex\(\('</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SQBFAFgAIAAoAFsA|kARQBYACAAKABbA|JAEUAWAAgACgAWw|aQBlAHgAIAAoAFsA|kAZQB4ACAAKABbA|pAGUAeAAgACgAWw|aQBlAHgAIAAoAE4AZQB3A|kAZQB4ACAAKABOAGUAdw|pAGUAeAAgACgATgBlAHcA|SQBFAFgAIAAoAE4AZQB3A|kARQBYACAAKABOAGUAdw|JAEUAWAAgACgATgBlAHcA</field>
    </rule>
    <rule id="901490" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Base64 Encoded MpPreference Cmdlet</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?:Add\-MpPreference\ |Set\-MpPreference\ |add\-mppreference\ |set\-mppreference\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA|EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA|BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA|UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA|MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA|TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA|YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA|EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA|hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA|cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA|MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA|zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA</field>
    </rule>
    <rule id="901491" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.t1620</id>
        </mitre>
        <description>PowerShell Base64 Encoded Reflective Assembly Load</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA|sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA|bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA|AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC|BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp|AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK|WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ|sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA|bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA|WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA|sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA|bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA</field>
    </rule>
    <rule id="901492" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.001</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ|oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA|6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA|OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ|oAOgAoACIATABvACIAKwAiAGEAZAAiACkA|6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA|OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ|oAOgAoACIATABvAGEAIgArACIAZAAiACkA|6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA|OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ|oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA|6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA|OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ|oAOgAoACcATABvACcAKwAnAGEAZAAnACkA|6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA|OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ|oAOgAoACcATABvAGEAJwArACcAZAAnACkA|6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA</field>
    </rule>
    <rule id="901493" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ|cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA|XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A|V2luMzJfU2hhZG93Y29we|dpbjMyX1NoYWRvd2NvcH|XaW4zMl9TaGFkb3djb3B5</field>
    </rule>
    <rule id="901494" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA|cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA|XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg|V2luMzJfU2NoZWR1bGVkSm9i|dpbjMyX1NjaGVkdWxlZEpvY|XaW4zMl9TY2hlZHVsZWRKb2</field>
    </rule>
    <rule id="901495" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw|cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA|XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA|V2luMzJfUHJvY2Vzc|dpbjMyX1Byb2Nlc3|XaW4zMl9Qcm9jZXNz</field>
    </rule>
    <rule id="901496" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A|cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA|XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA|V2luMzJfVXNlckFjY291bn|dpbjMyX1VzZXJBY2NvdW50|XaW4zMl9Vc2VyQWNjb3Vud</field>
    </rule>
    <rule id="901497" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>PowerShell Base64 Encoded WMI Classes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA|cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA|XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg|V2luMzJfTG9nZ2VkT25Vc2Vy|dpbjMyX0xvZ2dlZE9uVXNlc|XaW4zMl9Mb2dnZWRPblVzZX</field>
    </rule>
    <rule id="901498" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Potential Process Execution Proxy Via CL_Invocation.ps1</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:SyncInvoke\ )</field>
    </rule>
    <rule id="901499" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>Assembly Loading Via CL_LoadAssembly.ps1</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:LoadAssemblyFromPath\ |LoadAssemblyFromNS\ )</field>
    </rule>
    <rule id="901500" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Via Reversed Commands</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hctac|kaerb|dnammoc|ekovn|eliFd|rahc|etirw|golon|tninon|eddih|tpircS|ssecorp|llehsrewop|esnopser|daolnwod|tneilCbeW|tneilc|ptth|elifotevas|46esab|htaPpmeTteG|tcejbO|maerts|hcaerof|retupmoc</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-EncodedCommand\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-enc\ )</field>
    </rule>
    <rule id="901501" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Command Line Obfuscation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*\^.*\^.*\^.*\^.*\^.*</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i).*`.*`.*`.*`.*`.*</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Amazon\\+SSM\\+ssm\-document\-worker\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)new\ EventSource$"Microsoft\.Windows\.Sense\.Client\.Management"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)public\ static\ extern\ bool\ InstallELAMCertificateInfo\(SafeFileHandle\ handle$;</field>
    </rule>
    <rule id="901502" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>New Service Creation Using PowerShell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-BinaryPathName</field>
    </rule>
    <rule id="901503" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>Gzip Archive Decode Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)GZipStream</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::Decompress</field>
    </rule>
    <rule id="901504" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Defender Disable Scan Feature</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Add\-MpPreference\ |Set\-MpPreference\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:DisableArchiveScanning\ |DisableRealtimeMonitoring\ |DisableIOAVProtection\ |DisableBehaviorMonitoring\ |DisableBlockAtFirstSeen\ |DisableCatchupFullScan\ |DisableCatchupQuickScan\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\$true|\ 1\ )</field>
    </rule>
    <rule id="901505" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Defender Disable Scan Feature</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?:disablearchivescanning\ |DisableArchiveScanning\ |disablebehaviormonitoring\ |DisableBehaviorMonitoring\ |disableblockatfirstseen\ |DisableBlockAtFirstSeen\ |disablecatchupfullscan\ |DisableCatchupFullScan\ |disablecatchupquickscan\ |DisableCatchupQuickScan\ |disableioavprotection\ |DisableIOAVProtection\ |disablerealtimemonitoring\ |DisableRealtimeMonitoring\ )</field>
    </rule>
    <rule id="901506" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Powershell Defender Disable Scan Feature</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA|EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA|RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA|QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA|EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA|RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA|EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA|RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA|QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA|EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA|ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA|kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA|ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA|QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA|kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA|ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA|QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA|kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA|ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA|QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA|kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA|RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA|RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA|RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA</field>
    </rule>
    <rule id="901507" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-DisableBehaviorMonitoring\ \$true|\-DisableRuntimeMonitoring\ \$true</field>
    </rule>
    <rule id="901508" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)stop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinDefend</field>
    </rule>
    <rule id="901509" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinDefend</field>
    </rule>
    <rule id="901510" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender AV Security Monitoring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinDefend</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)start=disabled</field>
    </rule>
    <rule id="901511" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled IE Security Features</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-name\ IEHarden\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-value\ 0\ )</field>
    </rule>
    <rule id="901512" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled IE Security Features</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-name\ DEPOff\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-value\ 1\ )</field>
    </rule>
    <rule id="901513" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled IE Security Features</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-name\ DisableFirstRunCustomize\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-value\ 2\ )</field>
    </rule>
    <rule id="901514" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential PowerShell Downgrade Attack</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-version\ 2\ |\ \-versio\ 2\ |\ \-versi\ 2\ |\ \-vers\ 2\ |\ \-ver\ 2\ |\ \-ve\ 2\ |\ \-v\ 2\ )</field>
    </rule>
    <rule id="901515" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PowerShell Web Download</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.DownloadString\(|\.DownloadFile\(|Invoke\-WebRequest\ |iwr\ )</field>
    </rule>
    <rule id="901516" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Potential DLL File Download Via PowerShell Invoke-WebRequest</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Invoke\-WebRequest\ |IWR\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OutFile</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="901517" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Email Exifiltration Via Powershell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-PSSnapin</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Recipient</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ExpandProperty</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)EmailAddresses</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SmtpAddress</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-hidetableheaders</field>
    </rule>
    <rule id="901518" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Execution of Powershell with Base64</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-e\ |\ \-en\ |\ \-enc\ |\ \-enco|\ \-ec\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-Encoding\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)C:\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+gc_worker\.exe</field>
    </rule>
    <rule id="901519" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Encoded PowerShell Patterns In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToInt|ToDecimal|ToByte|ToUint|ToSingle|ToSByte</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToChar|ToString|String</field>
    </rule>
    <rule id="901520" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Encoded PowerShell Patterns In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToInt|ToDecimal|ToByte|ToUint|ToSingle|ToSByte</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)char</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)join</field>
    </rule>
    <rule id="901521" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Encoded PowerShell Patterns In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ToInt|ToDecimal|ToByte|ToUint|ToSingle|ToSByte</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)split</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)join</field>
    </rule>
    <rule id="901522" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.execution</id>
            <id>attack.t1552.004</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Certificate Exported Via PowerShell</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Export\-PfxCertificate\ |Export\-Certificate\ )</field>
    </rule>
    <rule id="901523" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1027</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Base64 Encoded PowerShell Command Detected</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::FromBase64String\(</field>
    </rule>
    <rule id="901524" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1132.001</id>
        </mitre>
        <description>Suspicious FromBase64String Usage On Gzip Archive - Process Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)FromBase64String</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MemoryStream</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)H4sI</field>
    </rule>
    <rule id="901525" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>PowerShell Get-Process LSASS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Process\ lsas|ps\ lsas|gps\ lsas</field>
    </rule>
    <rule id="901526" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1115</id>
        </mitre>
        <description>PowerShell Get-Clipboard Cmdlet Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Clipboard</field>
    </rule>
    <rule id="901527" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell IEX Execution Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \|\ iex;|\ \|\ iex\ |\ \|\ iex\}|\ \|\ IEX\ ;|\ \|\ IEX\ \-Error|\ \|\ IEX\ $new|$;IEX\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::FromBase64String|\.GetString$\[System\.Convert\]::</field>
    </rule>
    <rule id="901528" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell IEX Execution Patterns</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)$\|iex;\$|\);iex$\$|$;iex\ \$|\ \|\ IEX\ \|\ |\ \|\ iex\\+"</field>
    </rule>
    <rule id="901529" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Root Certificate Installed From Susp Locations</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Import\-Certificate</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-FilePath\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Cert:\\+LocalMachine\\+Root</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|:\\+Windows\\+TEMP\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Perflogs\\+|:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="901530" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Import PowerShell Modules From Suspicious Directories - ProcCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Import\-Module\ "\$Env:Temp\\+|Import\-Module\ '\$Env:Temp\\+|Import\-Module\ \$Env:Temp\\+|Import\-Module\ "\$Env:Appdata\\+|Import\-Module\ '\$Env:Appdata\\+|Import\-Module\ \$Env:Appdata\\+|Import\-Module\ C:\\+Users\\+Public\\+|ipmo\ "\$Env:Temp\\+|ipmo\ '\$Env:Temp\\+|ipmo\ \$Env:Temp\\+|ipmo\ "\$Env:Appdata\\+|ipmo\ '\$Env:Appdata\\+|ipmo\ \$Env:Appdata\\+|ipmo\ C:\\+Users\\+Public\\+</field>
    </rule>
    <rule id="901531" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[Convert\]::FromBase64String</field>
    </rule>
    <rule id="901532" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-noni</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-nop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Object</field>
    </rule>
    <rule id="901533" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-w\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ep</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Enc</field>
    </rule>
    <rule id="901534" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+software\\+</field>
    </rule>
    <rule id="901535" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)bypass</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-noprofile</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-windowstyle</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hidden</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)system\.net\.webclient</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.download</field>
    </rule>
    <rule id="901536" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)iex</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Object</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Net\.WebClient</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.Download</field>
    </rule>
    <rule id="901537" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious PowerShell Invocations - Specific - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)$New\-Object\ System\.Net\.WebClient$\.DownloadString\('https://community\.chocolatey\.org/install\.ps1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Write\-ChocolateyWarning</field>
    </rule>
    <rule id="901538" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
        </mitre>
        <description>Suspicious PowerShell Mailbox Export to Share</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-MailboxExportRequest</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-Mailbox\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-FilePath\ \\+</field>
    </rule>
    <rule id="901539" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.discovery</id>
            <id>attack.t1482</id>
            <id>attack.t1087</id>
            <id>attack.t1087.001</id>
            <id>attack.t1087.002</id>
            <id>attack.t1069.001</id>
            <id>attack.t1069.002</id>
            <id>attack.t1069</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Malicious PowerShell Commandlets - ProcessCreation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-Exfiltration|Add\-Persistence|Add\-RegBackdoor|Add\-RemoteRegBackdoor|Add\-ScrnSaveBackdoor|Check\-VM|ConvertTo\-Rc4ByteStream|Decrypt\-Hash|Disable\-ADIDNSNode|Disable\-MachineAccount|Do\-Exfiltration|Enable\-ADIDNSNode|Enable\-MachineAccount|Enabled\-DuplicateToken|Exploit\-Jboss|Export\-ADR|Export\-ADRCSV|Export\-ADRExcel|Export\-ADRHTML|Export\-ADRJSON|Export\-ADRXML|Find\-Fruit|Find\-GPOLocation|Find\-TrustedDocuments|Get\-ADIDNS|Get\-ApplicationHost|Get\-ChromeDump|Get\-ClipboardContents|Get\-FoxDump|Get\-GPPPassword|Get\-IndexedItem|Get\-KerberosAESKey|Get\-Keystrokes|Get\-LSASecret|Get\-MachineAccountAttribute|Get\-MachineAccountCreator|Get\-PassHashes|Get\-RegAlwaysInstallElevated|Get\-RegAutoLogon|Get\-RemoteBootKey|Get\-RemoteCachedCredential|Get\-RemoteLocalAccountHash|Get\-RemoteLSAKey|Get\-RemoteMachineAccountHash|Get\-RemoteNLKMKey|Get\-RickAstley|Get\-Screenshot|Get\-SecurityPackages|Get\-ServiceFilePermission|Get\-ServicePermission|Get\-ServiceUnquoted|Get\-SiteListPassword|Get\-System|Get\-TimedScreenshot|Get\-UnattendedInstallFile|Get\-Unconstrained|Get\-USBKeystrokes|Get\-VaultCredential|Get\-VulnAutoRun|Get\-VulnSchTask|Grant\-ADIDNSPermission|Gupt\-Backdoor|HTTP\-Login|Install\-ServiceBinary|Install\-SSP|Invoke\-ACLScanner|Invoke\-ADRecon|Invoke\-ADSBackdoor|Invoke\-AgentSmith|Invoke\-AllChecks|Invoke\-ARPScan|Invoke\-AzureHound|Invoke\-BackdoorLNK|Invoke\-BadPotato|Invoke\-BetterSafetyKatz|Invoke\-BypassUAC|Invoke\-Carbuncle|Invoke\-Certify|Invoke\-ConPtyShell|Invoke\-CredentialInjection|Invoke\-DAFT|Invoke\-DCSync|Invoke\-DinvokeKatz|Invoke\-DllInjection|Invoke\-DNSUpdate|Invoke\-DomainPasswordSpray|Invoke\-DowngradeAccount|Invoke\-EgressCheck|Invoke\-Eyewitness|Invoke\-FakeLogonScreen|Invoke\-Farmer|Invoke\-Get\-RBCD\-Threaded|Invoke\-Gopher|Invoke\-Grouper|Invoke\-HandleKatz|Invoke\-ImpersonatedProcess|Invoke\-ImpersonateSystem|Invoke\-InteractiveSystemPowerShell|Invoke\-Internalmonologue|Invoke\-Inveigh|Invoke\-InveighRelay|Invoke\-KrbRelay|Invoke\-LdapSignCheck|Invoke\-Lockless|Invoke\-MalSCCM|Invoke\-Mimikatz|Invoke\-Mimikittenz|Invoke\-MITM6|Invoke\-NanoDump|Invoke\-NetRipper|Invoke\-Nightmare|Invoke\-NinjaCopy|Invoke\-OfficeScrape|Invoke\-OxidResolver|Invoke\-P0wnedshell|Invoke\-Paranoia|Invoke\-PortScan|Invoke\-PoshRatHttp|Invoke\-PostExfil|Invoke\-PowerDump|Invoke\-PowerShellTCP|Invoke\-PowerShellWMI|Invoke\-PPLDump|Invoke\-PsExec|Invoke\-PSInject|Invoke\-PsUaCme|Invoke\-ReflectivePEInjection|Invoke\-ReverseDNSLookup|Invoke\-Rubeus|Invoke\-RunAs|Invoke\-SafetyKatz|Invoke\-SauronEye|Invoke\-SCShell|Invoke\-Seatbelt|Invoke\-ServiceAbuse|Invoke\-ShadowSpray|Invoke\-Sharp|Invoke\-Shellcode|Invoke\-SMBScanner|Invoke\-Snaffler|Invoke\-Spoolsample|Invoke\-SpraySinglePassword|Invoke\-SSHCommand|Invoke\-StandIn|Invoke\-StickyNotesExtract|Invoke\-SystemCommand|Invoke\-Tasksbackdoor|Invoke\-Tater|Invoke\-Thunderfox|Invoke\-ThunderStruck|Invoke\-TokenManipulation|Invoke\-Tokenvator|Invoke\-TotalExec|Invoke\-UrbanBishop|Invoke\-UserHunter|Invoke\-VoiceTroll|Invoke\-Whisker|Invoke\-WinEnum|Invoke\-winPEAS|Invoke\-WireTap|Invoke\-WmiCommand|Invoke\-WMIExec|Invoke\-WScriptBypassUAC|Invoke\-Zerologon|MailRaider|New\-ADIDNSNode|New\-DNSRecordArray|New\-HoneyHash|New\-InMemoryModule|New\-MachineAccount|New\-SOASerialNumberArray|Out\-Minidump|Port\-Scan|PowerBreach|powercat\ |PowerUp|PowerView|Remove\-ADIDNSNode|Remove\-MachineAccount|Remove\-Update|Rename\-ADIDNSNode|Revoke\-ADIDNSPermission|Set\-ADIDNSNode|Set\-MacAttribute|Set\-MachineAccountAttribute|Set\-Wallpaper|Show\-TargetScreen|Start\-CaptureServer|Start\-Dnscat2|Start\-WebcamRecorder|VolumeShadowCopyTools</field>
    </rule>
    <rule id="901540" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.002</id>
        </mitre>
        <description>MSExchange Transport Agent Installation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Install\-TransportAgent</field>
    </rule>
    <rule id="901541" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Non Interactive PowerShell Process Spawned</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+CompatTelRunner\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?::\\+\$WINDOWS\.\~BT\\+Sources\\+SetupHost\.exe)$</field>
    </rule>
    <rule id="901542" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Non Interactive PowerShell Process Spawned</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)(?:\ \-\-ms\-enable\-electron\-run\-as\-node\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WindowsApps\\+Microsoft\.WindowsTerminal_</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WindowsTerminal\.exe)$</field>
    </rule>
    <rule id="901543" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential PowerShell Obfuscation Via WCHAR</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)$WCHAR$0x</field>
    </rule>
    <rule id="901544" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Execution of Powershell Script in Public Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-f\ C:\\+Users\\+Public|\-f\ "C:\\+Users\\+Public|\-f\ %Public%|\-fi\ C:\\+Users\\+Public|\-fi\ "C:\\+Users\\+Public|\-fi\ %Public%|\-fil\ C:\\+Users\\+Public|\-fil\ "C:\\+Users\\+Public|\-fil\ %Public%|\-file\ C:\\+Users\\+Public|\-file\ "C:\\+Users\\+Public|\-file\ %Public%</field>
    </rule>
    <rule id="901545" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-ATHRemoteFXvGPUDisablementCommand|Invoke\-ATHRemoteFXvGPUDisableme</field>
    </rule>
    <rule id="901546" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Run PowerShell Script from ADS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Content</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-Stream</field>
    </rule>
    <rule id="901547" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Run PowerShell Script from Redirected Input Stream</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\s-\s*&lt;</field>
    </rule>
    <rule id="901548" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Invocation From Script Engines</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)\\+Health\ Service\ State\\+</field>
    </rule>
    <rule id="901549" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.collection</id>
            <id>attack.t1114</id>
        </mitre>
        <description>Exchange PowerShell Snap-Ins Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Add\-PSSnapin</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Microsoft\.Exchange\.Powershell\.Snapin|Microsoft\.Exchange\.Management\.PowerShell\.SnapIn</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\$exserver=Get\-ExchangeServer\ $\[Environment\]::MachineName$\ \-ErrorVariable\ exerr\ 2&gt;\ \$null</field>
    </rule>
    <rule id="901550" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potentially Suspicious PowerShell Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bash\.exe|\\+bitsadmin\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+forfiles\.exe|\\+hh\.exe|\\+mshta\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+schtasks\.exe|\\+scrcons\.exe|\\+scriptrunner\.exe|\\+sh\.exe|\\+wmic\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkspacesConfig\\+Scripts\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkspacesConfig\\+Scripts\\+</field>
    </rule>
    <rule id="901551" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Download and Execute Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)IEX\ $\(New\-Object\ Net\.WebClient$\.DownloadString|IEX\ $New\-Object\ Net\.WebClient$\.DownloadString|IEX$\(New\-Object\ Net\.WebClient$\.DownloadString|IEX$New\-Object\ Net\.WebClient$\.DownloadString|\ \-command\ $New\-Object\ System\.Net\.WebClient$\.DownloadFile$|\ \-c\ \(New\-Object\ System\.Net\.WebClient$\.DownloadFile\(</field>
    </rule>
    <rule id="901552" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious PowerShell Parameter Substring</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-windowstyle\ h\ |\ \-windowstyl\ h|\ \-windowsty\ h|\ \-windowst\ h|\ \-windows\ h|\ \-windo\ h|\ \-wind\ h|\ \-win\ h|\ \-wi\ h|\ \-win\ h\ |\ \-win\ hi\ |\ \-win\ hid\ |\ \-win\ hidd\ |\ \-win\ hidde\ |\ \-NoPr\ |\ \-NoPro\ |\ \-NoProf\ |\ \-NoProfi\ |\ \-NoProfil\ |\ \-nonin\ |\ \-nonint\ |\ \-noninte\ |\ \-noninter\ |\ \-nonintera\ |\ \-noninterac\ |\ \-noninteract\ |\ \-noninteracti\ |\ \-noninteractiv\ |\ \-ec\ |\ \-encodedComman\ |\ \-encodedComma\ |\ \-encodedComm\ |\ \-encodedCom\ |\ \-encodedCo\ |\ \-encodedC\ |\ \-encoded\ |\ \-encode\ |\ \-encod\ |\ \-enco\ |\ \-en\ |\ \-executionpolic\ |\ \-executionpoli\ |\ \-executionpol\ |\ \-executionpo\ |\ \-executionp\ |\ \-execution\ bypass|\ \-executio\ bypass|\ \-executi\ bypass|\ \-execut\ bypass|\ \-execu\ bypass|\ \-exec\ bypass|\ \-exe\ bypass|\ \-ex\ bypass|\ \-ep\ bypass|\ /windowstyle\ h\ |\ /windowstyl\ h|\ /windowsty\ h|\ /windowst\ h|\ /windows\ h|\ /windo\ h|\ /wind\ h|\ /win\ h|\ /wi\ h|\ /win\ h\ |\ /win\ hi\ |\ /win\ hid\ |\ /win\ hidd\ |\ /win\ hidde\ |\ /NoPr\ |\ /NoPro\ |\ /NoProf\ |\ /NoProfi\ |\ /NoProfil\ |\ /nonin\ |\ /nonint\ |\ /noninte\ |\ /noninter\ |\ /nonintera\ |\ /noninterac\ |\ /noninteract\ |\ /noninteracti\ |\ /noninteractiv\ |\ /ec\ |\ /encodedComman\ |\ /encodedComma\ |\ /encodedComm\ |\ /encodedCom\ |\ /encodedCo\ |\ /encodedC\ |\ /encoded\ |\ /encode\ |\ /encod\ |\ /enco\ |\ /en\ |\ /executionpolic\ |\ /executionpoli\ |\ /executionpol\ |\ /executionpo\ |\ /executionp\ |\ /execution\ bypass|\ /executio\ bypass|\ /executi\ bypass|\ /execut\ bypass|\ /execu\ bypass|\ /exec\ bypass|\ /exe\ bypass|\ /ex\ bypass|\ /ep\ bypass</field>
    </rule>
    <rule id="901553" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.command_and_control</id>
            <id>attack.t1104</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PowerShell DownloadFile</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.DownloadFile</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)System\.Net\.WebClient</field>
    </rule>
    <rule id="901554" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.009</id>
        </mitre>
        <description>Powershell Token Obfuscation - Process Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\w+`(\w+|-|.)`[\w+|\s]</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)"(\{\d\})+"\s*-f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}</field>
    </rule>
    <rule id="901555" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.004</id>
        </mitre>
        <description>Suspicious X509Enrollment - Process Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)X509Enrollment\.CBinaryConverter|884e2002\-217d\-11da\-b2a4\-000e7bbb2b09</field>
    </rule>
    <rule id="901556" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1074.001</id>
        </mitre>
        <description>Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Compress\-Archive\ \-Path.+\-DestinationPath\ \$env:TEMP|Compress\-Archive\ \-Path.+\-DestinationPath.+\\+AppData\\+Local\\+Temp\\+|Compress\-Archive\ \-Path.+\-DestinationPath.+:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901557" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>XBAP Execution From Uncommon Locations Via PresentationHost.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+presentationhost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PresentationHost\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.xbap</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Program\ Files</field>
    </rule>
    <rule id="901558" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Microsoft\.NodejsTools\.PressAnyKey\.exe)$</field>
    </rule>
    <rule id="901559" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Abusing Print Executable</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+print\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:print)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/D</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)print\.exe</field>
    </rule>
    <rule id="901560" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Provlaunch.EXE Binary Proxy Execution Abuse</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+provlaunch\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+calc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+notepad\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+PerfLogs\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+Public\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Windows\\+System32\\+Tasks\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Windows\\+Tasks\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="901561" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1113</id>
        </mitre>
        <description>Screen Capture Activity Via Psr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Psr\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/start|\-start</field>
    </rule>
    <rule id="901562" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - 3Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+3proxy\.exe)$</field>
    </rule>
    <rule id="901563" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - 3Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:3proxy\ \-\ tiny\ proxy\ server)$</field>
    </rule>
    <rule id="901564" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - 3Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-i127\.0\.0\.1\ \-p</field>
    </rule>
    <rule id="901565" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lockoutduration|lockoutthreshold|lockoutobservationwindow|maxpwdage|minpwdage|minpwdlength|pwdhistorylength|pwdproperties</field>
    </rule>
    <rule id="901566" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-sc\ admincountdmp</field>
    </rule>
    <rule id="901567" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1087.002</id>
        </mitre>
        <description>PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-sc\ exchaddresses</field>
    </rule>
    <rule id="901568" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
            <id>stp.1u</id>
        </mitre>
        <description>PUA - AdFind Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)domainlist|trustdmp|dcmodes|adinfo|\ dclist\ |computer_pwdnotreqd|objectcategory=|\-subnets\ \-f|name="Domain\ Admins"|\-sc\ u:|domainncs|dompol|\ oudmp\ |subnetdmp|gpodmp|fspdmp|users_noexpire|computers_active|computers_pwdnotreqd</field>
    </rule>
    <rule id="901569" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1564.003</id>
            <id>attack.t1134.002</id>
            <id>attack.t1059.003</id>
        </mitre>
        <description>PUA - AdvancedRun Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AdvancedRun\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /EXEFilename\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /Run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /WindowState\ 0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /RunAs\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /CommandLine\ )</field>
    </rule>
    <rule id="901570" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced IP Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+advanced_ip_scanner</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)advanced_ip_scanner</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Advanced\ IP\ Scanner</field>
    </rule>
    <rule id="901571" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced IP Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/portable</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/lng</field>
    </rule>
    <rule id="901572" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced Port Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+advanced_port_scanner</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)advanced_port_scanner</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Advanced\ Port\ Scanner</field>
    </rule>
    <rule id="901573" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
            <id>attack.t1135</id>
        </mitre>
        <description>PUA - Advanced Port Scanner Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/portable</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/lng</field>
    </rule>
    <rule id="901574" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>PUA - Chisel Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+chisel\.exe)$</field>
    </rule>
    <rule id="901575" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SepRemovalToolNative_x64\.exe)$</field>
    </rule>
    <rule id="901576" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+CATClean\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-uninstall</field>
    </rule>
    <rule id="901577" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+NetInstaller\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-r</field>
    </rule>
    <rule id="901578" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>PUA - CleanWipe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WFPUnins\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/uninstall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/enterprise</field>
    </rule>
    <rule id="901579" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_crassus.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1590.001</id>
        </mitre>
        <description>PUA - Crassus Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Crassus\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Crassus\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Crassus</field>
    </rule>
    <rule id="901580" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - CsExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+csexec\.exe)$</field>
    </rule>
    <rule id="901581" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PUA - CsExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:csexec)$</field>
    </rule>
    <rule id="901582" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027.005</id>
        </mitre>
        <description>PUA - DefenderCheck Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DefenderCheck\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:DefenderCheck)$</field>
    </rule>
    <rule id="901583" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>PUA - DIT Snapshot Viewer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ditsnap\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ditsnap\.exe</field>
    </rule>
    <rule id="901584" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - Fast Reverse Proxy (FRP) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+frpc\.exe|\\+frps\.exe)$</field>
    </rule>
    <rule id="901585" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - Fast Reverse Proxy (FRP) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+frpc\.ini</field>
    </rule>
    <rule id="901586" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - Fast Reverse Proxy (FRP) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=7D9C233B8C9E3F0EA290D2B84593C842|SHA1=06DDC9280E1F1810677935A2477012960905942F|SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:7d9c233b8c9e3f0ea290d2b84593c842)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:06ddc9280e1f1810677935a2477012960905942f)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c)$</field>
    </rule>
    <rule id="901587" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA- IOX Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+iox\.exe)$</field>
    </rule>
    <rule id="901588" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA- IOX Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ fwd\ \-l\ |\.exe\ fwd\ \-r\ |\.exe\ proxy\ \-l\ |\.exe\ proxy\ \-r\ )</field>
    </rule>
    <rule id="901589" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA- IOX Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=9DB2D314DD3F704A02051EF5EA210993|SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD|SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:9db2d314dd3f704a02051ef5ea210993)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:039130337e28a6623ecf9a0a3da7d92c5964d8dd)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731)$</field>
    </rule>
    <rule id="901590" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.collection</id>
            <id>attack.t1056.002</id>
        </mitre>
        <description>PUA - Mouse Lock Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)Mouse\ Lock</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)Misc314</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Mouse\ Lock_</field>
    </rule>
    <rule id="901591" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1095</id>
        </mitre>
        <description>PUA - Netcat Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nc\.exe|\\+ncat\.exe|\\+netcat\.exe)$</field>
    </rule>
    <rule id="901592" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1095</id>
        </mitre>
        <description>PUA - Netcat Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-lvp\ |\ \-lvnp|\ \-l\ \-v\ \-p\ |\ \-lv\ \-p\ |\ \-l\ \-\-proxy\-type\ http\ |\ \-vnl\ \-\-exec\ |\ \-vnl\ \-e\ |\ \-\-lua\-exec\ |\ \-\-sh\-exec\ )</field>
    </rule>
    <rule id="901593" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ tcp\ 139|\ tcp\ 445|\ tcp\ 3389|\ tcp\ 5985|\ tcp\ 5986</field>
    </rule>
    <rule id="901594" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ start\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-all</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.yml</field>
    </rule>
    <rule id="901595" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:ngrok\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tcp\ |\ http\ |\ authtoken\ )</field>
    </rule>
    <rule id="901596" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>PUA - Ngrok Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ authtoken\ |\.exe\ start\ \-\-all</field>
    </rule>
    <rule id="901597" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PUA - Nimgrab Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nimgrab\.exe)$</field>
    </rule>
    <rule id="901598" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PUA - Nimgrab Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B|SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559|IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45</field>
    </rule>
    <rule id="901599" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>PUA - Nimgrab Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:2DD44C3C29D667F5C0EF5F9D7C7FFB8B)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:C07FDDD21D123EA9B3A08EEF44AAAC45)$</field>
    </rule>
    <rule id="901600" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PUA - NirCmd Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+NirCmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:NirCmd\.exe)$</field>
    </rule>
    <rule id="901601" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PUA - NirCmd Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ execmd\ |\.exe\ script\ |\.exe\ shexec\ |\ runinteractive\ )</field>
    </rule>
    <rule id="901602" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
            <id>attack.s0029</id>
        </mitre>
        <description>PUA - NirCmd Execution As LOCAL SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ runassystem\ )</field>
    </rule>
    <rule id="901603" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1046</id>
        </mitre>
        <description>PUA - Nmap/Zenmap Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+nmap\.exe|\\+zennmap\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:nmap\.exe|zennmap\.exe)$</field>
    </rule>
    <rule id="901604" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+npc\.exe)$</field>
    </rule>
    <rule id="901605" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-server=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-vkey=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-password=</field>
    </rule>
    <rule id="901606" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-config=npc</field>
    </rule>
    <rule id="901607" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>PUA - NPS Tunneling Tool Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=AE8ACF66BFE3A44148964048B826D005|SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181|SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:ae8acf66bfe3a44148964048b826d005)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:cea49e9b9b67f3a13ad0be1c2655293ea3c18181)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856)$</field>
    </rule>
    <rule id="901608" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=f741f25ac909ee434e50812d436c73ff|MD5=d40acbfc29ee24388262e3d8be16f622|MD5=01bb2c16fadb992fa66228cd02d45c60|MD5=9e1b18e62e42b5444fc55b51e640355b|MD5=b7f8fe33ac471b074ca9e630ba0c7e79|MD5=324579d717c9b9b8e71d0269d13f811f|MD5=63257a1ddaf83cfa43fe24a3bc06c207|MD5=049e85963826b059c9bac273bb9c82ab|MD5=ecb98b7b4d4427eb8221381154ff4cb2|MD5=faf87749ac790ec3a10dd069d10f9d63|MD5=f296dba5d21ad18e6990b1992aea8f83|MD5=93ba94355e794b6c6f98204cf39f7a11|MD5=a258ef593ac63155523a461ecc73bdba|MD5=97000eb5d1653f1140ee3f47186463c4|MD5=95eb317fbbe14a82bd9fdf31c48b8d93|MD5=32fe9f0d2630ac40ea29023920f20f49|MD5=a05930dde939cfd02677fc18bb2b7df5|MD5=124283924e86933ff9054a549d3a268b|MD5=ceda6909b8573fdeb0351c6920225686|MD5=60ce120040f2cd311c810ae6f6bbc182|MD5=2f10cdc5b09100a260703a28eadd0ceb|MD5=011d967028e797a4c16d547f7ba1463f|MD5=2da9152c0970500c697c1c9b4a9e0360|MD5=b5ba72034b8f44d431f55275bace9f8b|MD5=d6ed9101df0f24e27ff92ddab42dacca|MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d|MD5=5e083cd0143ae95a6cb79b68c07ca573|MD5=28caff93748cb84be70486e79f04c2df|MD5=9d4f12c30f9b500f896efd1800e4dd11|MD5=4586f7dd14271ad65a5fb696b393f4c0|MD5=86ba9dddbdf49215145b5bcd081d4011|MD5=9dce0a481343874ef9a36c9a825ef991|MD5=85890f62e231ad964b1fda7a674747ec|MD5=599be548da6441d7fe3e9a1bb8cb0833|MD5=9b0c7fd5763f66e9b8c7b457fce53f96|MD5=32d45718164205aec3e98e0223717d1d|MD5=6ff5f373ee7f794cd17db50704d00ddb|MD5=88efbdf41f0650f8f58a3053b0ca0459|MD5=ef915f61f861d1fb7cbde9afd2e7bd93|MD5=781fa16511a595757154b4304d2dd350|MD5=5018ec39be0e296f4fc8c8575bfa8486|MD5=f4a84d6f1caf0875b50135423d04139f|SHA1=9c1431801fa6342ed68f047842b9a11778fc669b|SHA1=c36c862f40dad78cb065197aad15fef690c262f2|SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d|SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f|SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa|SHA1=f14c9633040897d375e3069fddc71e859f283778|SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc|SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937|SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36|SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b|SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc|SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11|SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995|SHA1=607e1fa810c799735221a609af3bfc405728c02d|SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3|SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a|SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491|SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178|SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4|SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84|SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea|SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17|SHA1=81d67b3d70c4e855cb11a453cc32997517708362|SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad|SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2|SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92|SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1|SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a|SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db|SHA1=3150f14508ee4cae19cf09083499d1cda8426540|SHA1=036ad9876fa552b1298c040e233d620ea44689c6|SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5|SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c|SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d|SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4|SHA1=c82152cddf9e5df49094686531872ecd545976db|SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61|SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836|SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719|SHA1=34c0c5839af1c92bce7562b91418443a2044c90d|SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08|SHA1=3a515551814775df0ccbe09f219bc972eae45a10|SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b|SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85|SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03|SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795|SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f|SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a|SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275|SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b|SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2|SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae|SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6|SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a|SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1|SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559|SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2|SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef|SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d|SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524|SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b|SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b|SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629|SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358|SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca|SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea|SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172|SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4|SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2|SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66|SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27|SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41|SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1|SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0|SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8|SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d|SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726|SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90|SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5|SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140|SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87|SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892|SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054|SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PingCastle\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PingCastle\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Ping\ Castle)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-scanner\ aclcheck|\-\-scanner\ antivirus|\-\-scanner\ computerversion|\-\-scanner\ foreignusers|\-\-scanner\ laps_bitlocker|\-\-scanner\ localadmin|\-\-scanner\ nullsession|\-\-scanner\ nullsession\-trust|\-\-scanner\ oxidbindings|\-\-scanner\ remote|\-\-scanner\ share|\-\-scanner\ smb|\-\-scanner\ smb3querynetwork|\-\-scanner\ spooler|\-\-scanner\ startup|\-\-scanner\ zerologon</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-no\-enum\-limit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-level\ Full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-server\ )</field>
    </rule>
    <rule id="901609" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.bat|\.chm|\.cmd|\.hta|\.htm|\.html|\.js|\.lnk|\.ps1|\.vbe|\.vbs|\.wsf</field>
    </rule>
    <rule id="901610" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="901611" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="901612" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.reconnaissance</id>
            <id>attack.t1595</id>
        </mitre>
        <description>PUA - PingCastle Execution From Potentially Suspicious Parent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.bat|\.chm|\.cmd|\.hta|\.htm|\.html|\.js|\.lnk|\.ps1|\.vbe|\.vbs|\.wsf</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PingCastle\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PingCastle\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Ping\ Castle)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-scanner\ aclcheck|\-\-scanner\ antivirus|\-\-scanner\ computerversion|\-\-scanner\ foreignusers|\-\-scanner\ laps_bitlocker|\-\-scanner\ localadmin|\-\-scanner\ nullsession|\-\-scanner\ nullsession\-trust|\-\-scanner\ oxidbindings|\-\-scanner\ remote|\-\-scanner\ share|\-\-scanner\ smb|\-\-scanner\ smb3querynetwork|\-\-scanner\ spooler|\-\-scanner\ startup|\-\-scanner\ zerologon</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-no\-enum\-limit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-level\ Full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-server\ )</field>
    </rule>
    <rule id="901613" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1622</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+ProcessHacker_</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ProcessHacker\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ProcessHacker\.exe|Process\ Hacker)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Process\ Hacker)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Process\ Hacker)$</field>
    </rule>
    <rule id="901614" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1622</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=68F9B52895F4D34E74112F3129B3B00D|MD5=B365AF317AE730A67C936F21432B9C71|SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D|SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E|SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F|SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4|IMPHASH=3695333C60DEDECDCAFF1590409AA462|IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF</field>
    </rule>
    <rule id="901615" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1622</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - Process Hacker Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:68f9b52895f4d34e74112f3129b3b00d|b365af317ae730a67c936f21432b9c71)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e|a0bdfac3ce1880b32ff9b696458327ce352e3b1d)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f|bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:04de0ad9c37eb7bd52043d2ecac958df|3695333c60dedecdcaff1590409aa462)$</field>
    </rule>
    <rule id="901616" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1072</id>
        </mitre>
        <description>PUA - Radmin Viewer Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Radmin\ Viewer)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Radmin\ Viewer)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Radmin\.exe)$</field>
    </rule>
    <rule id="901617" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1567.002</id>
        </mitre>
        <description>PUA - Rclone Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-config\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-no\-check\-certificate\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ copy\ )</field>
    </rule>
    <rule id="901618" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1526</id>
            <id>attack.t1087</id>
            <id>attack.t1083</id>
        </mitre>
        <description>PUA - Seatbelt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Seatbelt\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Seatbelt\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Seatbelt)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ DpapiMasterKeys|\ InterestingProcesses|\ InterestingFiles|\ CertificateThumbprints|\ ChromiumBookmarks|\ ChromiumHistory|\ ChromiumPresence|\ CloudCredentials|\ CredEnum|\ CredGuard|\ FirefoxHistory|\ ProcessCreationEvents</field>
    </rule>
    <rule id="901619" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.discovery</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1082</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SystemInformer\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SystemInformer\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:System\ Informer)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:System\ Informer)$</field>
    </rule>
    <rule id="901620" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.discovery</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1082</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)MD5=19426363A37C03C3ED6FEDF57B6696EC|SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC|SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287|IMPHASH=B68908ADAEB5D662F87F2528AF318F12</field>
    </rule>
    <rule id="901621" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.discovery</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1082</id>
            <id>attack.t1564</id>
            <id>attack.t1543</id>
        </mitre>
        <description>PUA - System Informer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:19426363A37C03C3ED6FEDF57B6696EC)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)^(?:8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287)$</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:B68908ADAEB5D662F87F2528AF318F12)$</field>
    </rule>
    <rule id="901622" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555.003</id>
        </mitre>
        <description>PUA - WebBrowserPassView Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Web\ Browser\ Password\ Viewer)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WebBrowserPassView\.exe)$</field>
    </rule>
    <rule id="901623" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PUA - Wsudo Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsudo\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wsudo\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Windows\ sudo\ utility)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsudo\-bridge\.exe)$</field>
    </rule>
    <rule id="901624" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1059</id>
        </mitre>
        <description>PUA - Wsudo Suspicious Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-u\ System|\-uSystem|\-u\ TrustedInstaller|\-uTrustedInstaller|\ \-\-ti\ )</field>
    </rule>
    <rule id="901625" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
        </mitre>
        <description>PUA - Adidnsdump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+python\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)adidnsdump</field>
    </rule>
    <rule id="901626" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Python Inline Command Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:python\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:python\.exe|python3\.exe|python2\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-c</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Python)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+python\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-E\ \-s\ \-m\ ensurepip\ \-U\ \-\-default\-pip</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Programs\\+Microsoft\ VS\ Code\\+Code\.exe)$</field>
    </rule>
    <rule id="901627" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Python Spawning Pretty TTY on Windows</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:python\.exe|python3\.exe|python2\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)import\ pty</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.spawn\(</field>
    </rule>
    <rule id="901628" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Python Spawning Pretty TTY on Windows</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:python\.exe|python3\.exe|python2\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)from\ pty\ import\ spawn</field>
    </rule>
    <rule id="901629" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Query Usage To Exfil Data</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?::\\+Windows\\+System32\\+query\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)session\ &gt;|process\ &gt;</field>
    </rule>
    <rule id="901630" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Rar Usage with Password and Compression Level</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-hp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-m|\ a\ )</field>
    </rule>
    <rule id="901631" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Files Added To An Archive Using Rar.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ a\ )</field>
    </rule>
    <rule id="901632" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Greedy Compression Using Rar.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Command\ line\ RAR)$</field>
    </rule>
    <rule id="901633" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Greedy Compression Using Rar.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ a\ |\ a\ \-m</field>
    </rule>
    <rule id="901634" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious RASdial Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:rasdial\.exe)$</field>
    </rule>
    <rule id="901635" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Memory Dump via RdrLeakDiag.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)fullmemdmp|/memdmp|\-memdmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-o\ |\ /o\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ |\ /p\ )</field>
    </rule>
    <rule id="901636" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Memory Dump via RdrLeakDiag.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rdrleakdiag\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RdrLeakDiag\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)fullmemdmp|/memdmp|\-memdmp</field>
    </rule>
    <rule id="901637" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1112</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Imports Registry Key From an ADS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regedit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:REGEDIT\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /i\ |\.reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):[^ \\+]</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-e\ )</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-a\ )</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-c\ )</field>
    </rule>
    <rule id="901638" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>Regedit as Trusted Installer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regedit\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+TrustedInstaller\.exe|\\+ProcessHacker\.exe)$</field>
    </rule>
    <rule id="901639" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1112</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Registry Modification Via Regini.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regini\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:REGINI\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):[^ \\+]</field>
    </rule>
    <rule id="901640" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574</id>
        </mitre>
        <description>DLL Execution Via Register-cimprovider.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+register\-cimprovider\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-path</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dll</field>
    </rule>
    <rule id="901641" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.002</id>
        </mitre>
        <description>Enumeration for 3rd Party Creds From CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Software\\+SimonTatham\\+PuTTY\\+Sessions|\\+Software\\+SimonTatham\\+PuTTY\\+SshHostKeys\\+|\\+Software\\+Mobatek\\+MobaXterm\\+|\\+Software\\+WOW6432Node\\+Radmin\\+v3\.0\\+Server\\+Parameters\\+Radmin|\\+Software\\+Aerofox\\+FoxmailPreview|\\+Software\\+Aerofox\\+Foxmail\\+V3\.1|\\+Software\\+IncrediMail\\+Identities|\\+Software\\+Qualcomm\\+Eudora\\+CommandLine|\\+Software\\+RimArts\\+B2\\+Settings|\\+Software\\+OpenVPN\-GUI\\+configs|\\+Software\\+Martin\ Prikryl\\+WinSCP\ 2\\+Sessions|\\+Software\\+FTPWare\\+COREFTP\\+Sites|\\+Software\\+DownloadManager\\+Passwords|\\+Software\\+OpenSSH\\+Agent\\+Keys|\\+Software\\+TightVNC\\+Server|\\+Software\\+ORL\\+WinVNC3\\+Password|\\+Software\\+RealVNC\\+WinVNC4</field>
    </rule>
    <rule id="901642" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings\\+ZoneMap\\+ProtocolDefaults</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0</field>
    </rule>
    <rule id="901643" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1037.001</id>
        </mitre>
        <description>Potential Persistence Via Logon Scripts - CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)UserInitMprLogonScript</field>
    </rule>
    <rule id="901644" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Credential Dumping Attempt Using New NetworkProvider - CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+NetworkProvider</field>
    </rule>
    <rule id="901645" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Potential Privilege Escalation via Service Permissions Weakness</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:Medium)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)services</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+ImagePath|\\+FailureCommand|\\+ServiceDll</field>
    </rule>
    <rule id="901646" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Provisioning Registry Key Abuse For Binary Proxy Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Provisioning\\+Commands\\+</field>
    </rule>
    <rule id="901647" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via TypedPaths - CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+TypedPaths</field>
    </rule>
    <rule id="901648" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Potential Regsvr32 Commandline Flag Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-i:)</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:\ \-n\ )</field>
    </rule>
    <rule id="901649" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of Regsvr32</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cscript\.exe|\\+explorer\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+nltest\.exe|\\+notepad\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+reg\.exe|\\+schtasks\.exe|\\+werfault\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+werfault\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-u\ \-p\ )</field>
    </rule>
    <rule id="901650" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Regsvr32 Execution From Highly Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:REGSVR32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+Temp\\+|\\+Windows\\+Registration\\+CRMLog|\\+Windows\\+System32\\+com\\+dmp\\+|\\+Windows\\+System32\\+FxsTmp\\+|\\+Windows\\+System32\\+Microsoft\\+Crypto\\+RSA\\+MachineKeys\\+|\\+Windows\\+System32\\+spool\\+drivers\\+color\\+|\\+Windows\\+System32\\+spool\\+PRINTERS\\+|\\+Windows\\+System32\\+spool\\+SERVERS\\+|\\+Windows\\+System32\\+Tasks_Migrated\\+|\\+Windows\\+System32\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|\\+Windows\\+SysWOW64\\+com\\+dmp\\+|\\+Windows\\+SysWOW64\\+FxsTmp\\+|\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+PLA\\+System\\+|\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|\\+Windows\\+Tasks\\+|\\+Windows\\+Tracing\\+</field>
    </rule>
    <rule id="901651" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Regsvr32 Execution From Highly Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:REGSVR32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ "C:\\+|\ C:\\+|\ 'C:\\+|D:\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+ProgramData\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ "C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ 'C:\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901652" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Scripting/CommandLine Process Spawned Regsvr32</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /s\ C:\\+Windows\\+System32\\+RpcProxy\\+RpcProxy\.dll)$</field>
    </rule>
    <rule id="901653" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574</id>
            <id>attack.execution</id>
        </mitre>
        <description>Regsvr32 DLL Execution With Uncommon Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:REGSVR32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.ax</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.ocx</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="901654" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574</id>
            <id>attack.execution</id>
        </mitre>
        <description>Regsvr32 DLL Execution With Uncommon Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:REGSVR32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.ppl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.bav</field>
    </rule>
    <rule id="901655" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Potential Persistence Attempt Via Run Keys Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ ADD\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run</field>
    </rule>
    <rule id="901656" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Suspicious Reg Add BitLocker</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ADD</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Policies\\+Microsoft\\+FVE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)EnableBDEWithNoTPM|UseAdvancedStartup|UseTPM|UseTPMKey|UseTPMKeyPIN|RecoveryKeyMessageSource|UseTPMPIN|RecoveryKeyMessage</field>
    </rule>
    <rule id="901657" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1556.002</id>
        </mitre>
        <description>Dropping Of Password Filter DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+Lsa</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)scecli\\+0.+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg\ add</field>
    </rule>
    <rule id="901658" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+Exclusions\\+Paths|SOFTWARE\\+Microsoft\\+Microsoft\ Antimalware\\+Exclusions\\+Paths</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:ADD\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/t\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:REG_DWORD\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/v\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0</field>
    </rule>
    <rule id="901659" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ NoChangingWallpaper</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 1</field>
    </rule>
    <rule id="901660" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ Wallpaper</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
    </rule>
    <rule id="901661" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Using Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ WallpaperStyle</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 2</field>
    </rule>
    <rule id="901662" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Security Service Disabled Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)d\ 4</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)v\ Start</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppIDSvc|\\+MsMpSvc|\\+NisSrv|\\+SecurityHealthService|\\+Sense|\\+UsoSvc|\\+WdBoot|\\+WdFilter|\\+WdNisDrv|\\+WdNisSvc|\\+WinDefend|\\+wscsvc|\\+wuauserv</field>
    </rule>
    <rule id="901663" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.002</id>
        </mitre>
        <description>Enumeration for Credentials in Registry</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ query\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/t\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/s</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKLM</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKCU</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKCU\\+Software\\+SimonTatham\\+PuTTY\\+Sessions</field>
    </rule>
    <rule id="901664" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RestrictedAdminMode Registry Value Tampering - ProcCreation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+Lsa\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DisableRestrictedAdmin</field>
    </rule>
    <rule id="901665" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Query of MachineGUID</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Cryptography</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/v\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MachineGuid</field>
    </rule>
    <rule id="901666" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Enable LM Hash Storage - ProcCreation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+Lsa</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)NoLMHash</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0</field>
    </rule>
    <rule id="901667" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Suspicious Reg Add Open Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hkcu\\+software\\+classes\\+ms\-settings\\+shell\\+open\\+command</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/ve\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d</field>
    </rule>
    <rule id="901668" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Suspicious Reg Add Open Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hkcu\\+software\\+classes\\+ms\-settings\\+shell\\+open\\+command</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DelegateExecute</field>
    </rule>
    <rule id="901669" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Suspicious Reg Add Open Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)hkcu\\+software\\+classes\\+ms\-settings</field>
    </rule>
    <rule id="901670" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Tampering With RDP Related Registry Keys Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Terminal\ Server</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG_DWORD</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Licensing\ Core</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)EnableConcurrentSessions</field>
    </rule>
    <rule id="901671" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Tampering With RDP Related Registry Keys Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Terminal\ Server</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)REG_DWORD</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /f</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)WinStations\\+RDP\-Tcp|MaxInstanceCount|fEnableWinStation|TSUserEnabled|TSEnabled|TSAppCompat|IdleWinStationPoolCount|TSAdvertise|AllowTSConnections|fSingleSessionPerUser|fDenyTSConnections</field>
    </rule>
    <rule id="901672" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ ScreenSaveActive</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 1</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901673" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ ScreenSaveTimeout</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901674" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ ScreenSaverIsSecure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ 0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901675" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Suspicious ScreenSave Change by Reg.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKEY_CURRENT_USER\\+Control\ Panel\\+Desktop|HKCU\\+Control\ Panel\\+Desktop</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v\ SCRNSAVE\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/t\ REG_SZ</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.scr</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/f</field>
    </rule>
    <rule id="901676" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1518</id>
        </mitre>
        <description>Detected Windows Software Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)query</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+software\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/v</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)svcversion</field>
    </rule>
    <rule id="901677" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled Volume Snapshots</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Services\\+VSS\\+Diag</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/d\ Disabled</field>
    </rule>
    <rule id="901678" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Windows Defender Registry Key Tampering Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)d\ 0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DisallowExploitProtectionOverride|EnableControlledFolderAccess|MpEnablePus|PUAProtection|SpynetReporting|SubmitSamplesConsent|TamperProtection</field>
    </rule>
    <rule id="901679" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Windows Defender Registry Key Tampering Via Reg.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:reg\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center|SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ add\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)d\ 1</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DisableAntiSpyware|DisableAntiSpywareRealtimeProtection|DisableAntiVirus|DisableArchiveScanning|DisableBehaviorMonitoring|DisableBlockAtFirstSeen|DisableConfig|DisableEnhancedNotifications|DisableIntrusionPreventionSystem|DisableIOAVProtection|DisableOnAccessProtection|DisablePrivacyMode|DisableRealtimeMonitoring|DisableRoutinelyTakingAction|DisableScanOnRealtimeEnable|DisableScriptScanning|Notification_Suppress|SignatureDisableUpdateOnStartupWithoutEngine</field>
    </rule>
    <rule id="901680" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Write Protect For Storage Disabled</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Write\ Protection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)storage</field>
    </rule>
    <rule id="901681" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AnyDesk\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:AnyDesk)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:AnyDesk)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:AnyDesk\ Software\ GmbH)$</field>
    </rule>
    <rule id="901682" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Piped Password Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:echo\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ \-\-set\-password</field>
    </rule>
    <rule id="901683" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AnyDesk\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:AnyDesk)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:AnyDesk)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:AnyDesk\ Software\ GmbH)$</field>
        <field name="win.eventdata.fileVersion" negate="no" type="pcre2">(?i)^(?:7\.0\.|7\.1\.|8\.0\.1|8\.0\.2|8\.0\.3|8\.0\.4|8\.0\.5|8\.0\.6|8\.0\.7)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-\-remove</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-\-uninstall</field>
    </rule>
    <rule id="901684" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - AnyDesk Silent Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-install</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-start\-with\-win</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-silent</field>
    </rule>
    <rule id="901685" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - Anydesk Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+AnyDesk\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:AnyDesk)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:AnyDesk)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:AnyDesk\ Software\ GmbH)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Program\ Files\ $x86$\\+AnyDesk</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)Program\ Files\\+AnyDesk</field>
    </rule>
    <rule id="901686" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - GoToAssist Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:GoTo\ Opener)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:GoTo\ Opener)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:LogMeIn,\ Inc\.)$</field>
    </rule>
    <rule id="901687" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - LogMeIn Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:LMIGuardianSvc)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:LMIGuardianSvc)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:LogMeIn,\ Inc\.)$</field>
    </rule>
    <rule id="901688" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - NetSupport Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:NetSupport\ Client\ Configurator)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:NetSupport\ Remote\ Control)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:NetSupport\ Ltd)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PCICFGUI\.EXE)$</field>
    </rule>
    <rule id="901689" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Remote Access Tool - NetSupport Execution From Unusual Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+client32\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)NetSupport\ Remote\ Control</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)client32\.exe</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:a9d50692e95b79723f3e76fcf70d023e)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=a9d50692e95b79723f3e76fcf70d023e</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="901690" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Remote Access Tool - RURAT Execution From Unusual Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rutserv\.exe|\\+rfusclient\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Remote\ Utilities)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Remote\ Utilities)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Remote\ Utilities)</field>
    </rule>
    <rule id="901691" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:ScreenConnect\ Service)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:ScreenConnect)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:ScreenConnect\ Software)$</field>
    </rule>
    <rule id="901692" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Installation Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)e=Access\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)y=Guest\&amp;</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;p=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;c=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\&amp;k=</field>
    </rule>
    <rule id="901693" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i):\\+Windows\\+TEMP\\+ScreenConnect\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)run\.cmd</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+bitsadmin\.exe|\\+cmd\.exe|\\+curl\.exe|\\+dllhost\.exe|\\+net\.exe|\\+nltest\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+rundll32\.exe|\\+wevtutil\.exe)$</field>
    </rule>
    <rule id="901694" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Remote Access Tool - ScreenConnect Server Web Shell Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ScreenConnect\.Service\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+csc\.exe)$</field>
    </rule>
    <rule id="901695" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - Simple Help Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+JWrapper\-Remote\ Access\\+|\\+JWrapper\-Remote\ Support\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SimpleService\.exe)$</field>
    </rule>
    <rule id="901696" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1133</id>
        </mitre>
        <description>Remote Access Tool - Team Viewer Session Started On Windows Host</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:TeamViewer_Desktop\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:TeamViewer_Service\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:TeamViewer_Desktop\.exe\ \-\-IPCport\ 5939\ \-\-Module\ 1)$</field>
    </rule>
    <rule id="901697" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Remote Access Tool - UltraViewer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:UltraViewer)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:DucFabulous\ Co,ltd)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:UltraViewer_Desktop\.exe)$</field>
    </rule>
    <rule id="901698" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1124</id>
        </mitre>
        <description>Discovery of a System Time</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)time</field>
    </rule>
    <rule id="901699" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1124</id>
        </mitre>
        <description>Discovery of a System Time</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+w32tm\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tz</field>
    </rule>
    <rule id="901700" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)domainlist|trustdmp|dcmodes|adinfo|\ dclist\ |computer_pwdnotreqd|objectcategory=|\-subnets\ \-f|name="Domain\ Admins"|\-sc\ u:|domainncs|dompol|\ oudmp\ |subnetdmp|gpodmp|fspdmp|users_noexpire|computers_active|computers_pwdnotreqd</field>
    </rule>
    <rule id="901701" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:bca5675746d13a1f246e2da3c2217492|53e117a96057eaf19c41380d0e87f1c2)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=BCA5675746D13A1F246E2DA3C2217492|IMPHASH=53E117A96057EAF19C41380D0E87F1C2</field>
    </rule>
    <rule id="901702" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AdFind\.exe)$</field>
    </rule>
    <rule id="901703" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1018</id>
            <id>attack.t1087.002</id>
            <id>attack.t1482</id>
            <id>attack.t1069.002</id>
        </mitre>
        <description>Renamed AdFind Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AdFind\.exe)$</field>
    </rule>
    <rule id="901704" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Renamed AutoHotkey.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)AutoHotkey</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)AutoHotkey</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AutoHotkey\.exe|AutoHotkey\.rc)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey32_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkey64_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyA32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyA32_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU32_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoHotkeyU64_UIA\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AutoHotkey</field>
    </rule>
    <rule id="901705" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /AutoIt3ExecuteScript|\ /ErrorStdOut</field>
    </rule>
    <rule id="901706" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:fdc554b3a8683918d731685855683ddf|cd30a61b60b3d60cecdb034c8c83c290|f8a00c72f2d667d2edbb234d0c0ae000)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=FDC554B3A8683918D731685855683DDF|IMPHASH=CD30A61B60B3D60CECDB034C8C83C290|IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000</field>
    </rule>
    <rule id="901707" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:AutoIt3\.exe|AutoIt2\.exe|AutoIt\.exe)$</field>
    </rule>
    <rule id="901708" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Renamed AutoIt Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt3_x64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AutoIt3\.exe)$</field>
    </rule>
    <rule id="901709" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential Defense Evasion Via Binary Rename</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe|CONHOST\.EXE|7z\.exe|WinRAR\.exe|wevtutil\.exe|net\.exe|net1\.exe|netsh\.exe|InstallUtil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+7z\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WinRAR\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+InstallUtil\.exe)$</field>
    </rule>
    <rule id="901710" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Potential Defense Evasion Via Rename Of Highly Relevant Binaries</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Execute\ processes\ remotely)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Sysinternals\ PsExec)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Windows\ PowerShell|pwsh)</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:certutil\.exe|cmstp\.exe|cscript\.exe|mshta\.exe|msiexec\.exe|powershell_ise\.exe|powershell\.exe|psexec\.c|psexec\.exe|psexesvc\.exe|pwsh\.dll|reg\.exe|regsvr32\.exe|rundll32\.exe|WerMgr|wmic\.exe|wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+certutil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmstp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psexec64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PSEXESVC\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+reg\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
    </rule>
    <rule id="901711" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1528</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed BrowserCore.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:BrowserCore\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+BrowserCore\.exe)$</field>
    </rule>
    <rule id="901712" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cleanup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-connector\-id\ )</field>
    </rule>
    <rule id="901713" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ run\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-config\ |\-credentials\-contents\ |\-credentials\-file\ |\-token\ )</field>
    </rule>
    <rule id="901714" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-url</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel</field>
    </rule>
    <rule id="901715" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29|SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8|SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039|SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28|SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7|SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373|SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670|SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a|SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0|SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1|SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2|SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac|SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f|SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d|SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499|SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b|SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f|SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032|SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234|SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f|SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058|SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c|SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f|SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5|SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3|SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4|SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c|SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4|SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f|SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad|SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7|SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75|SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6|SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688|SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f|SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663|SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77|SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078</field>
    </rule>
    <rule id="901716" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1090.001</id>
        </mitre>
        <description>Renamed Cloudflared.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cloudflared\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cloudflared\-windows\-386\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cloudflared\-windows\-amd64\.exe)$</field>
    </rule>
    <rule id="901717" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Renamed CreateDump Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:FX_VER_INTERNALNAME_STR)$</field>
    </rule>
    <rule id="901718" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Renamed CreateDump Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-full\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-\-name\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="901719" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Renamed CreateDump Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+createdump\.exe)$</field>
    </rule>
    <rule id="901720" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_curl.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed CURL.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:curl\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:The\ curl\ executable)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+curl</field>
    </rule>
    <rule id="901721" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1055.001</id>
            <id>attack.t1202</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Renamed ZOHO Dctask64 Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)6834B1B94E49701D77CCB3C0895E1AFD</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+dctask64\.exe)$</field>
    </rule>
    <rule id="901722" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed FTP.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ftp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ftp\.exe)$</field>
    </rule>
    <rule id="901723" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1486</id>
        </mitre>
        <description>Renamed Gpg.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:gpg\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+gpg\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+gpg2\.exe)$</field>
    </rule>
    <rule id="901724" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed Jusched.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Java\ Update\ Scheduler|Java$TM$\ Update\ Scheduler)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+jusched\.exe)$</field>
    </rule>
    <rule id="901725" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.001</id>
            <id>attack.t1218.013</id>
        </mitre>
        <description>Renamed Mavinject.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:mavinject32\.exe|mavinject64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mavinject32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mavinject64\.exe)$</field>
    </rule>
    <rule id="901726" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Renamed MegaSync Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:megasync\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+megasync\.exe)$</field>
    </rule>
    <rule id="901727" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed Msdt.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:msdt\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msdt\.exe)$</field>
    </rule>
    <rule id="901728" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Renamed NetSupport RAT Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)NetSupport\ Remote\ Control</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)client32\.exe</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:a9d50692e95b79723f3e76fcf70d023e)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=A9D50692E95B79723F3E76FCF70D023E</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+client32\.exe)$</field>
    </rule>
    <rule id="901729" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed NirCmd.EXE Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:NirCmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+nircmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+nircmdc\.exe)$</field>
    </rule>
    <rule id="901730" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Renamed Office Binary Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Excel\.exe|MSACCESS\.EXE|MSPUB\.EXE|OneNote\.exe|OneNoteM\.exe|OUTLOOK\.EXE|POWERPNT\.EXE|WinWord\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Microsoft\ Access|Microsoft\ Excel|Microsoft\ OneNote|Microsoft\ Outlook|Microsoft\ PowerPoint|Microsoft\ Publisher|Microsoft\ Word|Sent\ to\ OneNote\ Tool)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+EXCEL\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excelcnv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MSACCESS\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MSPUB\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ONENOTE\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ONENOTEM\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OUTLOOK\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+POWERPNT\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WINWORD\.exe)$</field>
    </rule>
    <rule id="901731" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed PAExec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:PAExec\ Application)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PAExec\.exe)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)PAExec</field>
        <field name="win.eventdata.impHash" negate="no" type="pcre2">(?i)^(?:11D40A7B7876288F919AB819CC2D9802|6444f8a34e99b8f7d9647de66aabe516|dfd6aa3f7b2b1035b76b718f1ddc689f|1a6cca4d5460b1710a12dea39e4a592c)$</field>
        <field name="win.eventdata.hashes" negate="no" type="pcre2">(?i)IMPHASH=11D40A7B7876288F919AB819CC2D9802|IMPHASH=6444f8a34e99b8f7d9647de66aabe516|IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f|IMPHASH=1a6cca4d5460b1710a12dea39e4a592c</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+paexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+PAExec\-)</field>
    </rule>
    <rule id="901732" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Renamed PingCastle Binary Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PingCastleReporting\.exe|PingCastleCloud\.exe|PingCastle\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-scanner\ aclcheck|\-\-scanner\ antivirus|\-\-scanner\ computerversion|\-\-scanner\ foreignusers|\-\-scanner\ laps_bitlocker|\-\-scanner\ localadmin|\-\-scanner\ nullsession|\-\-scanner\ nullsession\-trust|\-\-scanner\ oxidbindings|\-\-scanner\ remote|\-\-scanner\ share|\-\-scanner\ smb|\-\-scanner\ smb3querynetwork|\-\-scanner\ spooler|\-\-scanner\ startup|\-\-scanner\ zerologon</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-no\-enum\-limit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-level\ Full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-healthcheck</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-server\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PingCastleReporting\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PingCastleCloud\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PingCastle\.exe)$</field>
    </rule>
    <rule id="901733" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Renamed Plink Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Plink)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-l\ forward</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-P\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-R\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+plink\.exe)$</field>
    </rule>
    <rule id="901734" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Visual Studio NodejsTools PressAnyKey Renamed Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Microsoft\.NodejsTools\.PressAnyKey\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\.NodejsTools\.PressAnyKey\.exe)$</field>
    </rule>
    <rule id="901735" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Potential Renamed Rundll32 Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)DllRegisterServer</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
    </rule>
    <rule id="901736" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.collection</id>
            <id>attack.command_and_control</id>
            <id>attack.discovery</id>
            <id>attack.s0592</id>
        </mitre>
        <description>Renamed Remote Utilities RAT (RURAT) Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Remote\ Utilities)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rutserv\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rfusclient\.exe)$</field>
    </rule>
    <rule id="901737" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Renamed SysInternals DebugView Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:Sysinternals\ DebugView)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)^(?:Dbgview\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Dbgview\.exe)$</field>
    </rule>
    <rule id="901738" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed ProcDump Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:procdump)$</field>
    </rule>
    <rule id="901739" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Renamed ProcDump Execution</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ma\ |\ /ma\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-accepteula\ |\ /accepteula\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump64\.exe)$</field>
    </rule>
    <rule id="901740" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Renamed PsExec Service Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:psexesvc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+PSEXESVC\.exe)$</field>
    </rule>
    <rule id="901741" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1485</id>
        </mitre>
        <description>Renamed Sysinternals Sdelete Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sdelete\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sdelete\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sdelete64\.exe)$</field>
    </rule>
    <rule id="901742" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
        </mitre>
        <description>Renamed Vmnat.exe Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:vmnat\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:vmnat\.exe)$</field>
    </rule>
    <rule id="901743" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Renamed Whoami Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:whoami\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
    </rule>
    <rule id="901744" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Capture Credentials with Rpcping.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rpcping\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-s)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-u|NTLM)</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-t|ncacn_np)</field>
    </rule>
    <rule id="901745" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Suspicious Call by Ordinal</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RUNDLL32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i),\#|,\ \#|\.dll\ \#|\.ocx\ \#</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)EDGEHTML\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\#141</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Msbuild\\+Current\\+Bin\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+VC\\+Tools\\+MSVC\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Tracker\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker32\.dll,\#1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker32\.dll",\#1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker64\.dll,\#1</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+FileTracker64\.dll",\#1</field>
    </rule>
    <rule id="901746" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Suspicious Rundll32 Invoking Inline VBScript</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Execute</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RegRead</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)window\.close</field>
    </rule>
    <rule id="901747" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Mshtml.DLL RunHTMLApplication Suspicious Usage</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+\.\.\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshtml</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\#135|RunHTMLApplication</field>
    </rule>
    <rule id="901748" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Rundll32 Execution Without CommandLine Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+rundll32\.exe"|\\+rundll32)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Edge\\+</field>
    </rule>
    <rule id="901749" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Rundll32 Spawned Via Explorer.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RUNDLL32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-localserver\ 22d8c27b\-47a1\-48d1\-ad08\-7da7abd79617)$</field>
    </rule>
    <rule id="901750" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Process Memory Dump Via Comsvcs.DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RUNDLL32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\#\-|\#\+|\#24|24\ |MiniDump</field>
    </rule>
    <rule id="901751" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Process Memory Dump Via Comsvcs.DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RUNDLL32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
    </rule>
    <rule id="901752" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
            <id>car.2013-05-009</id>
        </mitre>
        <description>Process Memory Dump Via Comsvcs.DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)24</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)full</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \#|,\#|,\ \#</field>
    </rule>
    <rule id="901753" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>car.2013-05-002</id>
        </mitre>
        <description>Suspicious Process Start Locations</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+RECYCLER\\+|:\\+SystemVolumeInformation\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+Tasks\\+|C:\\+Windows\\+debug\\+|C:\\+Windows\\+fonts\\+|C:\\+Windows\\+help\\+|C:\\+Windows\\+drivers\\+|C:\\+Windows\\+addins\\+|C:\\+Windows\\+cursors\\+|C:\\+Windows\\+system32\\+tasks\\+)</field>
    </rule>
    <rule id="901754" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Suspicious Rundll32 Setupapi.dll Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+runonce\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)setupapi\.dll</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)InstallHinfSection</field>
    </rule>
    <rule id="901755" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>RunDLL32 Spawning Explorer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+shell32\.dll,Control_RunDLL</field>
    </rule>
    <rule id="901756" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Potentially Suspicious Rundll32 Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)javascript:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.RegisterXLL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)url\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)url\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURLA</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)url\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)FileProtocolHandler</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)zipfldr\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RouteTheCall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Control_RunDLL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shell32\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShellExec_RunDLL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshtml\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)PrintHTML</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)advpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchINFSection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)advpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RegisterOCX</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ieadvpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchINFSection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ieadvpack\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RegisterOCX</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ieframe\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shdocvw\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)OpenURL</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)syssetup\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SetupInfObjectInstallAction</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)setupapi\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)InstallHinfSection</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)pcwutl\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)LaunchApplication</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dfshim\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShOpenVerbApplication</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)dfshim\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShOpenVerbShortcut</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)scrobj\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)GenerateTypeLib</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shimgvw\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ImageView_Fullscreen</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MiniDump</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)shell32\.dll,Control_RunDLL\ desk\.cpl,screensaver,@screensaver</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+control\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\.cpl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Shell32\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Control_RunDLL</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+control\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+rundll32\.exe"\ Shell32\.dll,Control_RunDLL\ "C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.cpl",)$</field>
    </rule>
    <rule id="901757" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Suspicious Control Panel DLL Load</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+System32\\+control\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RUNDLL32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Shell32\.dll</field>
    </rule>
    <rule id="901758" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>ShimCache Flush</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)apphelp\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ShimFlushCache|\#250</field>
    </rule>
    <rule id="901759" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>ShimCache Flush</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)apphelp\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)kernel32\.dll</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)BaseFlushAppcompatCache|\#46</field>
    </rule>
    <rule id="901760" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Rundll32 Execution With Uncommon DLL Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:RUNDLL32\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.cpl\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl,</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.cpl'</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll,</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.dll'</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.inf\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.inf,</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.inf"</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.inf'</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.cpl)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\.inf)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-localserver\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+Installer\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)zzzzInvokeManagedCustomActionOutOfProc</field>
    </rule>
    <rule id="901761" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048.003</id>
            <id>cve.2023.23397</id>
        </mitre>
        <description>Suspicious WebDav Client Execution Via Rundll32.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-s\ WebClient</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+windows\\+system32\\+davclnt\.dll,DavSetCookie</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://10\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://192\.168\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.16\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.17\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.18\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.19\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.20\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.21\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.22\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.23\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.24\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.25\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.26\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.27\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.28\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.29\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.30\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://172\.31\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://127\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)://169\.254\.</field>
    </rule>
    <rule id="901762" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1021.002</id>
            <id>attack.t1570</id>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>Rundll32 Execution Without Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:rundll32\.exe|rundll32)$</field>
    </rule>
    <rule id="901763" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Suspicious Schtasks Execution AppData Folder</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/RU</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/TR</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:NT\ AUT|\ SYSTEM\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)TeamViewer_\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/TN\ TVInstallRestore</field>
    </rule>
    <rule id="901764" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1053.005</id>
            <id>attack.s0111</id>
            <id>car.2013-08-001</id>
            <id>stp.1u</id>
        </mitre>
        <description>Scheduled Task Creation Via Schtasks.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /create\ )</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
    </rule>
    <rule id="901765" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Scheduled Task Creation Involving Temp Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /sc\ once\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Temp\\+</field>
    </rule>
    <rule id="901766" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Delete All Scheduled Tasks</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /delete\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/tn\ \\+.+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /f</field>
    </rule>
    <rule id="901767" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Schtasks From Env Var Folder</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs|:\\+Windows\\+Temp|\\+AppData\\+Local\\+|\\+AppData\\+Roaming\\+|\\+Users\\+Public|%AppData%|%Public%</field>
    </rule>
    <rule id="901768" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Schtasks From Env Var Folder</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ Schedule)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs|:\\+Windows\\+Temp|\\+Users\\+Public|%Public%</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)update_task\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/Create\ /TN\ TVInstallRestore\ /TR</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)unattended\.ini</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/Create\ /Xml\ "C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+\.CR\.</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Avira_Security_Installation\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/Create\ /F\ /TN</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/Xml\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+is\-</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Avira_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+UpdateFallbackTask\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+WatchdogServiceControlManagerTimeout\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+SystrayAutostart\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.tmp\\+MaintenanceTask\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/Create\ /TN\ "klcp_update"\ /XML\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+klcp_update_task\.xml</field>
    </rule>
    <rule id="901769" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Add Scheduled Task Parent</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/Create\ )</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+|\\+AppData\\+Roaming\\+|\\+Temporary\ Internet|\\+Users\\+Public\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)update_task\.xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)unattended\.ini</field>
    </rule>
    <rule id="901770" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Persistence Via Powershell Search Order Hijacking - Task</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-k\ netsvcs</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\-s\ Schedule</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-windowstyle\ hidden|\ \-w\ hidden|\ \-ep\ bypass|\ \-noni)$</field>
    </rule>
    <rule id="901771" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Scheduled Task Executing Payload from Registry</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Get\-ItemProperty|\ gp\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)HKCU:|HKLM:|registry::|HKEY_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)FromBase64String</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)encodedcommand</field>
    </rule>
    <rule id="901772" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Schtasks Schedule Types</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ ONLOGON\ |\ ONSTART\ |\ ONCE\ |\ ONIDLE\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)NT\ AUT</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ SYSTEM</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)HIGHEST</field>
    </rule>
    <rule id="901773" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1036.005</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Scheduled Task Creation via Masqueraded XML File</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/create|\-create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/xml|\-xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.xml</field>
        <field name="win.eventdata.integrityLevel" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+Installer\\+MSI</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\.tmp,zzzzInvokeManagedCustomActionOutOfProc</field>
    </rule>
    <rule id="901774" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1036.005</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Scheduled Task Creation via Masqueraded XML File</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/create|\-create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/xml|\-xml</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+ProgramData\\+OEM\\+UpgradeTool\\+CareCenter_.+\\+BUnzip\\+Setup_msi\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Axis\ Communications\\+AXIS\ Camera\ Station\\+SetupActions\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Axis\ Communications\\+AXIS\ Device\ Manager\\+AdmSetupActions\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Zemana\\+AntiMalware\\+AntiMalware\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Dell\\+SupportAssist\\+pcdrcui\.exe)$</field>
    </rule>
    <rule id="901775" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Command Patterns In Scheduled Task Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/Create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/sc\ minute\ |/ru\ system\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:cmd\ /c|cmd\ /k|cmd\ /r|cmd\.exe\ /c\ |cmd\.exe\ /k\ |cmd\.exe\ /r\ )</field>
    </rule>
    <rule id="901776" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Suspicious Command Patterns In Scheduled Task Creation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/Create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/sc\ minute\ |/ru\ system\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-decode\ |\ \-enc\ |\ \-w\ hidden\ |\ bypass\ |\ IEX|\.DownloadData|\.DownloadFile|\.DownloadString|/c\ start\ /min\ |FromBase64String|mshta\ http|mshta\.exe\ http</field>
    </rule>
    <rule id="901777" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Schtasks Creation Or Modification With SYSTEM Privileges</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /change\ |\ /create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/ru\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:NT\ AUT|\ SYSTEM\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+schtasks\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/TN\ TVInstallRestore</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+TeamViewer_\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/Create\ /F\ /RU\ System\ /SC\ WEEKLY\ /TN\ AviraSystemSpeedupVerify\ /TR\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Avira\\+System\ Speedup\\+setup\\+avira_speedup_setup\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/VERIFY\ /VERYSILENT\ /NOSTART\ /NODOTNET\ /NORESTART"\ /RL\ HIGHEST</field>
    </rule>
    <rule id="901778" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Script Event Consumer Spawning Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+scrcons\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe|\\+dllhost\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+schtasks\.exe|\\+regsvr32\.exe|\\+mshta\.exe|\\+rundll32\.exe|\\+msiexec\.exe|\\+msbuild\.exe)$</field>
    </rule>
    <rule id="901779" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Possible Privilege Escalation via Weak Service Permissions</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:Medium)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
    </rule>
    <rule id="901780" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Possible Privilege Escalation via Weak Service Permissions</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:Medium)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)failure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)command</field>
    </rule>
    <rule id="901781" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>New Service Creation Using Sc.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
    </rule>
    <rule id="901782" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>New Kernel Driver Via SC.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create|config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)type</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)kernel</field>
    </rule>
    <rule id="901783" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious Service Path Modification</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)config</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|cmd\ |mshta|wscript|cscript|rundll32|svchost|dllhost|cmd\.exe\ /c|cmd\.exe\ /k|cmd\.exe\ /r|cmd\ /c|cmd\ /k|cmd\ /r|C:\\+Users\\+Public|\\+Downloads\\+|\\+Desktop\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+|C:\\+Windows\\+TEMP\\+|\\+AppData\\+Local\\+Temp</field>
    </rule>
    <rule id="901784" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
            <id>attack.t1574.011</id>
        </mitre>
        <description>Potential Persistence Attempt Via Existing Service Tampering</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:sc\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:config\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binpath=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:sc\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)failure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)command=</field>
    </rule>
    <rule id="901785" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Shim Database Persistence via Sdbinst.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sdbinst\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sdbinst\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.sdb</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+IIS\ Express\\+iisexpressshim\.sdb</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+IIS\ Express\\+iisexpressshim\.sdb</field>
    </rule>
    <rule id="901786" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Uncommon Extension Shim Database Installation Via Sdbinst.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sdbinst\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sdbinst\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.sdb</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-c)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-f)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-mm)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-t)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-m\ \-bg</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="901787" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Sdclt Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sdclt\.exe)$</field>
    </rule>
    <rule id="901788" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Sdiagnhost Calling Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+sdiagnhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe|\\+mshta\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+taskkill\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+calc\.exe)$</field>
    </rule>
    <rule id="901789" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1562.002</id>
            <id>attack.t1547.001</id>
            <id>attack.t1505.005</id>
            <id>attack.t1556.002</id>
            <id>attack.t1562</id>
            <id>attack.t1574.007</id>
            <id>attack.t1564.002</id>
            <id>attack.t1546.008</id>
            <id>attack.t1546.007</id>
            <id>attack.t1547.014</id>
            <id>attack.t1547.010</id>
            <id>attack.t1547.002</id>
            <id>attack.t1557</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Potential Suspicious Activity Using SeCEdit</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+secedit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SeCEdit)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/export</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/cfg</field>
    </rule>
    <rule id="901790" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.credential_access</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1562.002</id>
            <id>attack.t1547.001</id>
            <id>attack.t1505.005</id>
            <id>attack.t1556.002</id>
            <id>attack.t1562</id>
            <id>attack.t1574.007</id>
            <id>attack.t1564.002</id>
            <id>attack.t1546.008</id>
            <id>attack.t1546.007</id>
            <id>attack.t1547.014</id>
            <id>attack.t1547.010</id>
            <id>attack.t1547.002</id>
            <id>attack.t1557</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Potential Suspicious Activity Using SeCEdit</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+secedit\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:SeCEdit)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/configure</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/db</field>
    </rule>
    <rule id="901791" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1555</id>
            <id>cve.2021.35211</id>
        </mitre>
        <description>Suspicious Serv-U Process Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Serv\-U\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+sh\.exe|\\+bash\.exe|\\+schtasks\.exe|\\+regsvr32\.exe|\\+wmic\.exe|\\+mshta\.exe|\\+rundll32\.exe|\\+msiexec\.exe|\\+forfiles\.exe|\\+scriptrunner\.exe)$</field>
    </rule>
    <rule id="901792" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1529</id>
        </mitre>
        <description>Suspicious Execution of Shutdown</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+shutdown\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/r\ |/s\ )</field>
    </rule>
    <rule id="901793" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1529</id>
        </mitre>
        <description>Suspicious Execution of Shutdown to Log Out</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+shutdown\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/l</field>
    </rule>
    <rule id="901794" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Uncommon Child Processes Of SndVol.exe</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+SndVol\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ shell32\.dll,Control_RunDLL\ )</field>
    </rule>
    <rule id="901795" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1123</id>
        </mitre>
        <description>Audio Capture via SoundRecorder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+SoundRecorder\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/FILE</field>
    </rule>
    <rule id="901796" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Splwow64 Without Params</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+splwow64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:splwow64\.exe)$</field>
    </rule>
    <rule id="901797" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+gpupdate\.exe|\\+whoami\.exe|\\+nltest\.exe|\\+taskkill\.exe|\\+wmic\.exe|\\+taskmgr\.exe|\\+sc\.exe|\\+findstr\.exe|\\+curl\.exe|\\+wget\.exe|\\+certutil\.exe|\\+bitsadmin\.exe|\\+accesschk\.exe|\\+wevtutil\.exe|\\+bcdedit\.exe|\\+fsutil\.exe|\\+cipher\.exe|\\+schtasks\.exe|\\+write\.exe|\\+wuauclt\.exe|\\+systeminfo\.exe|\\+reg\.exe|\\+query\.exe)$</field>
    </rule>
    <rule id="901798" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)start</field>
    </rule>
    <rule id="901799" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.spl</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)route\ add</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)program\ files</field>
    </rule>
    <rule id="901800" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)add\ portopening</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)rule\ name</field>
    </rule>
    <rule id="901801" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1203</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1068</id>
        </mitre>
        <description>Suspicious Spool Service Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+netsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\.spl</field>
    </rule>
    <rule id="901802" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Process Proxy Execution Via Squirrel.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+squirrel\.exe|\\+update\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-processStart|\-\-processStartAndWait|\-\-createShortcut</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Discord\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-\-processStart</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Discord\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)GitHubDesktop\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-createShortcut</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-processStartAndWait</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+Teams\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Teams\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-processStart</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-createShortcut</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+yammerdesktop\\+Update\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Yammer\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-processStart</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-\-createShortcut</field>
    </rule>
    <rule id="901803" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1572</id>
            <id>attack.t1021.001</id>
            <id>attack.t1021.004</id>
        </mitre>
        <description>Port Forwarding Activity Via SSH.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ssh\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-R\ )</field>
    </rule>
    <rule id="901804" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1572</id>
        </mitre>
        <description>Potential RDP Tunneling Via SSH</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ssh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):3389</field>
    </rule>
    <rule id="901805" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.persistence</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Potential Amazon SSM Agent Hijacking</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+amazon\-ssm\-agent\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-register\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-code\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-id\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-region\ )</field>
    </rule>
    <rule id="901806" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execution via stordiag.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+stordiag\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe|\\+systeminfo\.exe|\\+fltmc\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:c:\\+windows\\+system32\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:c:\\+windows\\+syswow64\\+)</field>
    </rule>
    <rule id="901807" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Start of NT Virtual DOS Machine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ntvdm\.exe|\\+csrstub\.exe)$</field>
    </rule>
    <rule id="901808" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>Abused Debug Privilege by Arbitrary Parent Processes</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+winlogon\.exe|\\+services\.exe|\\+lsass\.exe|\\+csrss\.exe|\\+smss\.exe|\\+wininit\.exe|\\+spoolsv\.exe|\\+searchindexer\.exe)$</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll|Cmd\.Exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ route\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ ADD\ )</field>
    </rule>
    <rule id="901809" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:type\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ &gt;\ )</field>
    </rule>
    <rule id="901810" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:makecab\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.cab</field>
    </rule>
    <rule id="901811" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:reg\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ export\ )</field>
    </rule>
    <rule id="901812" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regedit\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /E\ )</field>
    </rule>
    <rule id="901813" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Execute From Alternate Data Streams</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)txt:</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:esentutl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /y\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /d\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /o\ )</field>
    </rule>
    <rule id="901814" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Always Install Elevated Windows Installer</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Windows\\+Installer\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)msi</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:tmp)$</field>
    </rule>
    <rule id="901815" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Always Install Elevated Windows Installer</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:System)$</field>
    </rule>
    <rule id="901816" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Always Install Elevated Windows Installer</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+services\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+system32\\+msiexec\.exe\ /V)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)(?:\\+system32\\+msiexec\.exe\ /V)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Sophos\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Avira\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Avast\ Software\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Avast\ Software\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Update\\+)</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Google\\+Update\\+)</field>
    </rule>
    <rule id="901817" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Windows App Activity</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901818" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Windows App Activity</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cmd\ /c|Invoke\-|Base64</field>
    </rule>
    <rule id="901819" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potentially Suspicious Windows App Activity</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Program\ Files\\+WindowsApps\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WindowsApps\\+Microsoft\.WindowsTerminal</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WindowsTerminal\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
    </rule>
    <rule id="901820" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1204</id>
            <id>attack.t1566.001</id>
            <id>attack.execution</id>
            <id>attack.initial_access</id>
        </mitre>
        <description>Arbitrary Shell Command Execution Via Settingcontent-Ms</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.SettingContent\-ms</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)immersivecontrolpanel</field>
    </rule>
    <rule id="901821" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566</id>
        </mitre>
        <description>Phishing Pattern ISO in Archive</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+Winrar\.exe|\\+7zFM\.exe|\\+peazip\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+isoburn\.exe|\\+PowerISO\.exe|\\+ImgBurn\.exe)$</field>
    </rule>
    <rule id="901822" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1119</id>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Automated Collection Command Prompt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.doc|\.docx|\.xls|\.xlsx|\.ppt|\.pptx|\.rtf|\.pdf|\.txt</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /b\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /s\ )</field>
    </rule>
    <rule id="901823" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1119</id>
            <id>attack.credential_access</id>
            <id>attack.t1552.001</id>
        </mitre>
        <description>Automated Collection Command Prompt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.doc|\.docx|\.xls|\.xlsx|\.ppt|\.pptx|\.rtf|\.pdf|\.txt</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:FINDSTR\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /e\ |\ /si\ )</field>
    </rule>
    <rule id="901824" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:WerFault\.exe)$</field>
    </rule>
    <rule id="901825" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:rundll32\.exe)$</field>
    </rule>
    <rule id="901826" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvcs\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regsvcs\.exe)$</field>
    </rule>
    <rule id="901827" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regasm\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regasm\.exe)$</field>
    </rule>
    <rule id="901828" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:regsvr32\.exe)$</field>
    </rule>
    <rule id="901829" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+EdgeUpdate\\+Install\\+\{</field>
    </rule>
    <rule id="901830" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>Bad Opsec Defaults Sacrificial Processes With Improper Arguments</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Google\\+Chrome\\+Application\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Installer\\+setup\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\-\-uninstall\ \-\-channel=stable</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:rundll32\.exe)$</field>
    </rule>
    <rule id="901831" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Escape Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)h\^t\^t\^p|h"t"t"p</field>
    </rule>
    <rule id="901832" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ЛЈ|ЛЄ|Лў</field>
    </rule>
    <rule id="901833" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)в€•|вЃ„</field>
    </rule>
    <rule id="901834" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)вЂ•|вЂ”</field>
    </rule>
    <rule id="901835" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Potential Commandline Obfuscation Using Unicode Characters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Гў|в‚¬|ВЈ|ВЇ|В®|Вµ|В¶</field>
    </rule>
    <rule id="901836" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Command Line Path Traversal Evasion Attempt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Windows\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+\.\.\\+Windows\\+|\\+\.\.\\+System32\\+|\\+\.\.\\+\.\.\\+</field>
    </rule>
    <rule id="901837" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Command Line Path Traversal Evasion Attempt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\\+\.\.\\+</field>
    </rule>
    <rule id="901838" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Potential Command Line Path Traversal Evasion Attempt</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Google\\+Drive\\+googledrivesync\.exe\\+\.\.\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Citrix\\+Virtual\ Smart\ Card\\+Citrix\.Authentication\.VirtualSmartcard\.Launcher\.exe\\+\.\.\\+</field>
    </rule>
    <rule id="901839" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.collection</id>
            <id>attack.exfiltration</id>
            <id>attack.t1039</id>
            <id>attack.t1048</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Copy From Or To Admin Share Or Sysvol Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+.+\$|\\+Sysvol\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+robocopy\.exe|\\+xcopy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:robocopy\.exe|XCOPY\.EXE)$</field>
    </rule>
    <rule id="901840" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.collection</id>
            <id>attack.exfiltration</id>
            <id>attack.t1039</id>
            <id>attack.t1048</id>
            <id>attack.t1021.002</id>
        </mitre>
        <description>Copy From Or To Admin Share Or Sysvol Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+.+\$|\\+Sysvol\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)copy</field>
    </rule>
    <rule id="901841" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
    </rule>
    <rule id="901842" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\-item|\ copy\ |cpi\ |\ cp\ )</field>
    </rule>
    <rule id="901843" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+robocopy\.exe|\\+xcopy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:robocopy\.exe|XCOPY\.EXE)$</field>
    </rule>
    <rule id="901844" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Suspicious Copy From or To System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+System32|\\+SysWOW64|\\+WinSxS</field>
    </rule>
    <rule id="901845" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>LOL-Binary Copied From System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
    </rule>
    <rule id="901846" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>LOL-Binary Copied From System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\-item|\ copy\ |cpi\ |\ cp\ )</field>
    </rule>
    <rule id="901847" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>LOL-Binary Copied From System Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+robocopy\.exe|\\+xcopy\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:robocopy\.exe|XCOPY\.EXE)$</field>
    </rule>
    <rule id="901848" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1496</id>
        </mitre>
        <description>Potential Crypto Mining Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-\-cpu\-priority=|\-\-donate\-level=0|\ \-o\ pool\.|\ \-\-nicehash|\ \-\-algo=rx/0\ |stratum\+tcp://|stratum\+udp://|LS1kb25hdGUtbGV2ZWw9|0tZG9uYXRlLWxldmVsP|tLWRvbmF0ZS1sZXZlbD|c3RyYXR1bSt0Y3A6Ly|N0cmF0dW0rdGNwOi8v|zdHJhdHVtK3RjcDovL|c3RyYXR1bSt1ZHA6Ly|N0cmF0dW0rdWRwOi8v|zdHJhdHVtK3VkcDovL</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ pool\.c\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ pool\.o\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)gcc\ \-</field>
    </rule>
    <rule id="901849" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Data Exfiltration Activity Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Invoke\-WebRequest|iwr\ |wget\ |curl\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-ur</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-me</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-b</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ POST\ )</field>
    </rule>
    <rule id="901850" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Data Exfiltration Activity Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+curl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-ur</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-d\ |\ \-\-data\ )</field>
    </rule>
    <rule id="901851" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Potential Data Exfiltration Activity Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wget\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-post\-data|\-\-post\-file</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Get\-Content|GetBytes|hostname|ifconfig|ipconfig|net\ view|netstat|nltest|qprocess|sc\ query|systeminfo|tasklist|ToBase64String|whoami</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:type\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ &gt;\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ C:\\+</field>
    </rule>
    <rule id="901852" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Raccine Uninstall</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:taskkill\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RaccineSettings\.exe</field>
    </rule>
    <rule id="901853" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Raccine Uninstall</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)reg\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Raccine\ Tray</field>
    </rule>
    <rule id="901854" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Raccine Uninstall</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)schtasks</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/DELETE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Raccine\ Rules\ Updater</field>
    </rule>
    <rule id="901855" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Suspicious Double Extension File Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\.doc\.exe|\.docx\.exe|\.xls\.exe|\.xlsx\.exe|\.ppt\.exe|\.pptx\.exe|\.rtf\.exe|\.pdf\.exe|\.txt\.exe|\ \ \ \ \ \ \.exe|______\.exe|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.doc\.exe|\.docx\.exe|\.xls\.exe|\.xlsx\.exe|\.ppt\.exe|\.pptx\.exe|\.rtf\.exe|\.pdf\.exe|\.txt\.exe|\ \ \ \ \ \ \.exe|______\.exe|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js</field>
    </rule>
    <rule id="901856" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.007</id>
        </mitre>
        <description>Suspicious Parent Double Extension File Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\.doc\.lnk|\.docx\.lnk|\.xls\.lnk|\.xlsx\.lnk|\.ppt\.lnk|\.pptx\.lnk|\.rtf\.lnk|\.pdf\.lnk|\.txt\.lnk|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.doc\.lnk|\.docx\.lnk|\.xls\.lnk|\.xlsx\.lnk|\.ppt\.lnk|\.pptx\.lnk|\.rtf\.lnk|\.pdf\.lnk|\.txt\.lnk|\.doc\.js|\.docx\.js|\.xls\.js|\.xlsx\.js|\.ppt\.js|\.pptx\.js|\.rtf\.js|\.pdf\.js|\.txt\.js</field>
    </rule>
    <rule id="901857" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>DumpStack.log Defender Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DumpStack\.log)$</field>
    </rule>
    <rule id="901858" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>DumpStack.log Defender Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-o\ DumpStack\.log</field>
    </rule>
    <rule id="901859" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901860" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|:\\+Temp\\+</field>
    </rule>
    <rule id="901861" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+chrome\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+chrome\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+discord\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+discord\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+GitHubDesktop\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+GitHubDesktop\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+keybase\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+keybase\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedge\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msedgewebview2\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+msteams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msteams\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+slack\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+slack\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+WerFault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+WerFault\.exe)$</field>
    </rule>
    <rule id="901862" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Electron Application Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+chrome\.exe|\\+discord\.exe|\\+GitHubDesktop\.exe|\\+keybase\.exe|\\+msedge\.exe|\\+msedgewebview2\.exe|\\+msteams\.exe|\\+slack\.exe|\\+Teams\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Discord\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+NVSMI\\+nvidia\-smi\.exe</field>
    </rule>
    <rule id="901863" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Elevated System Shell Spawned From Uncommon Parent Location</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll|Cmd\.Exe)$</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.logonId" negate="no" type="pcre2">(?i)^(?:0x3e7)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="901864" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Elevated System Shell Spawned From Uncommon Parent Location</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll|Cmd\.Exe)$</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.logonId" negate="no" type="pcre2">(?i)^(?:0x3e7)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+ManageEngine\\+ADManager\ Plus\\+pgsql\\+bin\\+postgres\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+system32\\+cmd\.exe\ /c\ "</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+IBM\\+SpectrumProtect\\+webserver\\+scripts\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+IBM\\+SpectrumProtect\\+webserver\\+scripts\\+</field>
    </rule>
    <rule id="901865" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Hidden Powershell in Link File Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.lnk</field>
    </rule>
    <rule id="901866" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Tamper In .NET Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)COMPlus_ETWEnabled|COMPlus_ETWFlags</field>
    </rule>
    <rule id="901867" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cl</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Trace</field>
    </rule>
    <rule id="901868" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clear\-log</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/Trace</field>
    </rule>
    <rule id="901869" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)sl</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/e:false</field>
    </rule>
    <rule id="901870" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)set\-log</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/e:false</field>
    </rule>
    <rule id="901871" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)logman</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)update</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)trace</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-p</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-ets</field>
    </rule>
    <rule id="901872" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Remove\-EtwTraceProvider</field>
    </rule>
    <rule id="901873" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1562.006</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Disable of ETW Trace</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Set\-EtwTraceProvider</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)0x11</field>
    </rule>
    <rule id="901874" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)clear\-log\ |\ cl\ |set\-log\ |\ sl\ |lfn:</field>
    </rule>
    <rule id="901875" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Clear\-EventLog\ |Remove\-EventLog\ |Limit\-EventLog\ |Clear\-WinEvent\ )</field>
    </rule>
    <rule id="901876" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ClearEventLog</field>
    </rule>
    <rule id="901877" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.001</id>
            <id>attack.t1562.002</id>
            <id>car.2016-04-002</id>
        </mitre>
        <description>Suspicious Eventlog Clear or Configuration Change</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+msiexec\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ sl\ )</field>
    </rule>
    <rule id="901878" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Microsoft\-Windows\-TerminalServices\-LocalSessionManager/Operational|Microsoft\-Windows\-Terminal\-Services\-RemoteConnectionManager/Operational|Security</field>
    </rule>
    <rule id="901879" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-InstanceId\ 4624|System\[EventID=4624\]|EventCode=.4624.|EventIdentifier=.4624.|\-InstanceId\ 4778|System\[EventID=4778\]|EventCode=.4778.|EventIdentifier=.4778.|\-InstanceId\ 25|System\[EventID=25\]|EventCode=.25.|EventIdentifier=.25.</field>
    </rule>
    <rule id="901880" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wevtutil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ qe\ |\ query\-events\ )</field>
    </rule>
    <rule id="901881" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wevtutil\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ qe\ |\ query\-events\ )</field>
    </rule>
    <rule id="901882" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wevtutil\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ ntevent</field>
    </rule>
    <rule id="901883" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1552</id>
        </mitre>
        <description>Potentially Suspicious EventLog Recon Activity Using Log Query Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Select</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Win32_NTLogEvent</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wevtutil\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Get\-WinEvent\ |get\-eventlog\ )</field>
    </rule>
    <rule id="901884" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious Execution From GUID Like Folder Names</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Roaming\\+|\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+\{</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+\{</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+drvinst\.exe)$</field>
    </rule>
    <rule id="901885" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1564</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Parent in Public Folder Suspicious Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Users\\+Public\\+)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|cmd\.exe\ /c\ |cmd\.exe\ /r\ |cmd\.exe\ /k\ |cmd\ /c\ |cmd\ /r\ |cmd\ /k\ |wscript\.exe|cscript\.exe|bitsadmin|certutil|mshta\.exe</field>
    </rule>
    <rule id="901886" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Execution from Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+\$Recycle\.bin\\+|\\+config\\+systemprofile\\+|\\+Intel\\+Logs\\+|\\+RSA\\+MachineKeys\\+|\\+Users\\+All\ Users\\+|\\+Users\\+Default\\+|\\+Users\\+NetworkService\\+|\\+Users\\+Public\\+|\\+Windows\\+addins\\+|\\+Windows\\+debug\\+|\\+Windows\\+Fonts\\+|\\+Windows\\+Help\\+|\\+Windows\\+IME\\+|\\+Windows\\+Media\\+|\\+Windows\\+repair\\+|\\+Windows\\+security\\+|\\+Windows\\+System32\\+Tasks\\+|\\+Windows\\+Tasks\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Perflogs\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Users\\+Public\\+IBM\\+ClientSolutions\\+Start_Programs\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+config\\+systemprofile\\+Citrix\\+UpdaterBinaries\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+CitrixReceiverUpdater\.exe)$</field>
    </rule>
    <rule id="901887" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.006</id>
        </mitre>
        <description>Suspicious File Characteristics Due to Missing Fields</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:\\+.)$</field>
        <field name="win.eventdata.fileVersion" negate="no" type="pcre2">(?i)^(?:\\+.)$</field>
    </rule>
    <rule id="901888" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.006</id>
        </mitre>
        <description>Suspicious File Characteristics Due to Missing Fields</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:\\+.)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:\\+.)$</field>
    </rule>
    <rule id="901889" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.006</id>
        </mitre>
        <description>Suspicious File Characteristics Due to Missing Fields</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:\\+.)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:\\+.)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Downloads\\+</field>
    </rule>
    <rule id="901890" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.execution</id>
            <id>attack.t1615</id>
            <id>attack.t1059.005</id>
        </mitre>
        <description>Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)gatherNetworkInfo\.vbs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wscript\.exe)$</field>
    </rule>
    <rule id="901891" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)::\$index_allocation</field>
    </rule>
    <rule id="901892" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Execution Of Non-Existing File</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:Registry)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:MemCompression)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:vmmem)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:Registry)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:MemCompression)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:vmmem)$</field>
    </rule>
    <rule id="901893" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Base64 MZ Header In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)TVqQAAMAAAAEAAAA|TVpQAAIAAAAEAA8A|TVqAAAEAAAAEABAA|TVoAAAAAAAAAAAAA|TVpTAQEAAAAEAAAA</field>
    </rule>
    <rule id="901894" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1106</id>
        </mitre>
        <description>Potential WinAPI Calls Via CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)AddSecurityPackage|AdjustTokenPrivileges|Advapi32|CloseHandle|CreateProcessWithToken|CreatePseudoConsole|CreateRemoteThread|CreateThread|CreateUserThread|DangerousGetHandle|DuplicateTokenEx|EnumerateSecurityPackages|FreeHGlobal|FreeLibrary|GetDelegateForFunctionPointer|GetLogonSessionData|GetModuleHandle|GetProcAddress|GetProcessHandle|GetTokenInformation|ImpersonateLoggedOnUser|kernel32|LoadLibrary|memcpy|MiniDumpWriteDump|ntdll|OpenDesktop|OpenProcess|OpenProcessToken|OpenThreadToken|OpenWindowStation|PtrToString|QueueUserApc|ReadProcessMemory|RevertToSelf|RtlCreateUserThread|secur32|SetThreadToken|VirtualAlloc|VirtualFree|VirtualProtect|WaitForSingleObject|WriteInt32|WriteProcessMemory|ZeroFreeGlobalAllocUnicode</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MpCmdRun\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)GetLoadLibraryWAddress32</field>
    </rule>
    <rule id="901895" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ rmdir\ )</field>
    </rule>
    <rule id="901896" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /c</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)user</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/domain</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/add</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/delete</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/active</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/expires</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/passwordreq</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/scriptpath</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/times</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)/workstations</field>
    </rule>
    <rule id="901897" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe|\\+quser\.exe|\\+qwinsta\.exe)$</field>
    </rule>
    <rule id="901898" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)useraccount</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)get</field>
    </rule>
    <rule id="901899" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>attack.t1087.001</id>
        </mitre>
        <description>Local Accounts Discovery</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmdkey\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /l</field>
    </rule>
    <rule id="901900" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>LOLBIN Execution From Abnormal Drive</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+certutil\.exe|\\+cmstp\.exe|\\+cscript\.exe|\\+installutil\.exe|\\+mshta\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:CALC\.EXE|CertUtil\.exe|CMSTP\.EXE|cscript\.exe|installutil\.exe|MSHTA\.EXE|REGSVR32\.EXE|RUNDLL32\.EXE|wscript\.exe)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)C:\\+</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901901" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>LSASS Dump Keyword In CommandLine</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lsass\.dmp|lsass\.zip|lsass\.rar|Andrew\.dmp|Coredump\.dmp|NotLSASS\.zip|lsass_2|lsassdump|lsassdmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)lsass</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)SQLDmpr</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.mdmp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)nanodump</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.dmp</field>
    </rule>
    <rule id="901902" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential File Download Via MS-AppInstaller Protocol Handler</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ms\-appinstaller://.source=</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="901903" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1016</id>
        </mitre>
        <description>Suspicious Network Command</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ipconfig\ /all|netsh\ interface\ show\ interface|arp\ \-a|nbtstat\ \-n|net\ config|route\ print</field>
    </rule>
    <rule id="901904" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1040</id>
        </mitre>
        <description>Potential Network Sniffing Activity Using Network Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tshark\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-i</field>
    </rule>
    <rule id="901905" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.discovery</id>
            <id>attack.t1040</id>
        </mitre>
        <description>Potential Network Sniffing Activity Using Network Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+windump\.exe)$</field>
    </rule>
    <rule id="901906" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Execution of Suspicious File Type Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.bin)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.cgi)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:Registry)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:MemCompression)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:vmmem)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Installer\\+MSI</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+DriverStore\\+FileRepository\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Config\.Msi\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.rbf)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.rbs)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$Extend\\+\$Deleted\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901907" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Execution of Suspicious File Type Extension</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.bin)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.cgi)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.com)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.tmp)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Avira\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)NVIDIA\\+NvBackend\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.dat)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+WINPAKPRO\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WINPAKPRO\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\.ngn)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+MyQ\\+Server\\+pcltool\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+MyQ\\+Server\\+pcltool\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Packages\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+LocalState\\+rootfs\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+LZMA_EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Mozilla\ Firefox\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+services\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:com\.docker\.service)$</field>
    </rule>
    <rule id="901908" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Non-privileged Usage of Reg or Powershell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:reg\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)add</field>
    </rule>
    <rule id="901909" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Non-privileged Usage of Reg or Powershell</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|set\-itemproperty|\ sp\ |new\-itemproperty</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:Medium)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Services</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ImagePath|FailureCommand|ServiceDLL</field>
    </rule>
    <rule id="901910" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+NTDSDump\.exe|\\+NTDSDumpEx\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ntds\.dit</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)system\.hiv</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)NTDSgrab\.ps1</field>
    </rule>
    <rule id="901911" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ac\ i\ ntds</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create\ full</field>
    </rule>
    <rule id="901912" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/c\ copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+windows\\+ntds\\+ntds\.dit</field>
    </rule>
    <rule id="901913" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)activate\ instance\ ntds</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create\ full</field>
    </rule>
    <rule id="901914" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.003</id>
        </mitre>
        <description>Suspicious Process Patterns NTDS.DIT Exfil</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ntds\.dit</field>
    </rule>
    <rule id="901915" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use Short Name Path in Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\~1\\+|\~2\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+Dism\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+cleanmgr\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+GPSoftware\\+Directory\ Opus\\+dopus\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+veam\.backup\.shell\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+winget\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Everything\\+Everything\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+WinGet\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+appdata\\+local\\+webex\\+webex64\\+meetings\\+wbxreport\.exe</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Git\\+post\-install\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Git\\+cmd\\+scalar\.exe</field>
    </rule>
    <rule id="901916" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use Short Name Path in Image</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\~1\\+|\~2\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+Dism\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+cleanmgr\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.product" negate="yes" type="pcre2">(?i)^(?:InstallShield\ $R$)$</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)^(?:InstallShield\ $R$\ Setup\ Engine)$</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)^(?:InstallShield\ Software\ Corporation)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\~1\\+unzip\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\~1\\+7zG\.exe)$</field>
    </rule>
    <rule id="901917" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use NTFS Short Name in Command Line</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\~1\.exe|\~1\.bat|\~1\.msi|\~1\.vbe|\~1\.vbs|\~1\.dll|\~1\.ps1|\~1\.js|\~1\.hta|\~2\.exe|\~2\.bat|\~2\.msi|\~2\.vbe|\~2\.vbs|\~2\.dll|\~2\.ps1|\~2\.js|\~2\.hta</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+xampp\\+vcredist\\+VCREDI\~1\.EXE</field>
    </rule>
    <rule id="901918" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use NTFS Short Name in Image</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\~1\.bat|\~1\.dll|\~1\.exe|\~1\.hta|\~1\.js|\~1\.msi|\~1\.ps1|\~1\.tmp|\~1\.vbe|\~1\.vbs|\~2\.bat|\~2\.dll|\~2\.exe|\~2\.hta|\~2\.js|\~2\.msi|\~2\.ps1|\~2\.tmp|\~2\.vbe|\~2\.vbs</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
    </rule>
    <rule id="901919" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.004</id>
        </mitre>
        <description>Use NTFS Short Name in Image</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\~1\.bat|\~1\.dll|\~1\.exe|\~1\.hta|\~1\.js|\~1\.msi|\~1\.ps1|\~1\.tmp|\~1\.vbe|\~1\.vbs|\~2\.bat|\~2\.dll|\~2\.exe|\~2\.hta|\~2\.js|\~2\.msi|\~2\.ps1|\~2\.tmp|\~2\.vbe|\~2\.vbs</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+thor\\+thor64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+PROGRA\~1\\+WinZip\\+WZPREL\~1\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+VCREDI\~1\.EXE)$</field>
    </rule>
    <rule id="901920" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0x|//0x|\.0x|\.00x</field>
    </rule>
    <rule id="901921" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http://%</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%2e</field>
    </rule>
    <rule id="901922" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.0[0-9]{3,7}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{3,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i) [0-7]{7,13}</field>
    </rule>
    <rule id="901923" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Download Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-WebRequest|iwr\ |wget\ |curl\ |DownloadFile|DownloadString</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}</field>
    </rule>
    <rule id="901924" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ 0x|//0x|\.0x|\.00x</field>
    </rule>
    <rule id="901925" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http://%</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%2e</field>
    </rule>
    <rule id="901926" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://[0-9]{1,3}\.0[0-9]{3,7}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{3,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)https?://0[0-9]{1,11}</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i) [0-7]{7,13}</field>
    </rule>
    <rule id="901927" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
        </mitre>
        <description>Obfuscated IP Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ping\.exe|\\+arp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}</field>
    </rule>
    <rule id="901928" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Suspicious Office Token Search Via CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)eyJ0eXAiOi|\ eyJ0eX|\ "eyJ0eX"|\ 'eyJ0eX'</field>
    </rule>
    <rule id="901929" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Process Parents</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+minesweeper\.exe|\\+winver\.exe|\\+bitsadmin\.exe)$</field>
    </rule>
    <rule id="901930" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Process Parents</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+csrss\.exe|\\+certutil\.exe|\\+eventvwr\.exe|\\+calc\.exe|\\+notepad\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+win32calc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+notepad\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901931" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Private Keys Reconnaissance Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.key|\.pgp|\.gpg|\.ppk|\.p12|\.pem|\.pfx|\.cer|\.p7b|\.asc</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:dir\ )</field>
    </rule>
    <rule id="901932" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Private Keys Reconnaissance Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.key|\.pgp|\.gpg|\.ppk|\.p12|\.pem|\.pfx|\.cer|\.p7b|\.asc</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Get\-ChildItem\ )</field>
    </rule>
    <rule id="901933" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.004</id>
        </mitre>
        <description>Private Keys Reconnaissance Via CommandLine Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.key|\.pgp|\.gpg|\.ppk|\.p12|\.pem|\.pfx|\.cer|\.p7b|\.asc</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+findstr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:FINDSTR\.EXE)$</field>
    </rule>
    <rule id="901934" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Windows Processes Suspicious Parent Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe|\\+taskhost\.exe|\\+lsm\.exe|\\+lsass\.exe|\\+services\.exe|\\+lsaiso\.exe|\\+csrss\.exe|\\+wininit\.exe|\\+winlogon\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+SavService\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+System32\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+SysWOW64\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)\\+Microsoft\ Security\ Client\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
    </rule>
    <rule id="901935" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Program Names</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+CVE\-202|\\+CVE202</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+poc\.exe|\\+artifact\.exe|\\+artifact64\.exe|\\+artifact_protected\.exe|\\+artifact32\.exe|\\+artifact32big\.exe|obfuscated\.exe|obfusc\.exe|\\+meterpreter)$</field>
    </rule>
    <rule id="901936" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Program Names</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)inject\.ps1|Invoke\-CVE|pupy\.ps1|payload\.ps1|beacon\.ps1|PowerView\.ps1|bypass\.ps1|obfuscated\.ps1|obfusc\.ps1|obfus\.ps1|obfs\.ps1|evil\.ps1|MiniDogz\.ps1|_enc\.ps1|\\+shell\.ps1|\\+rshell\.ps1|revshell\.ps1|\\+av\.ps1|\\+av_test\.ps1|adrecon\.ps1|mimikatz\.ps1|\\+PowerUp_|powerup\.ps1|\\+Temp\\+a\.ps1|\\+Temp\\+p\.ps1|\\+Temp\\+1\.ps1|Hound\.ps1|encode\.ps1|powercat\.ps1</field>
    </rule>
    <rule id="901937" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Process Execution From Fake Recycle.Bin Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)RECYCLERS\.BIN\\+|RECYCLER\.BIN\\+</field>
    </rule>
    <rule id="901938" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.002</id>
        </mitre>
        <description>Potential Defense Evasion Via Right-to-Left Override</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)‮</field>
    </rule>
    <rule id="901939" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cscript\.exe|\\+mshta\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="901940" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ep\ bypass\ |\ \-ExecutionPolicy\ bypass\ |\ \-w\ hidden\ |/e:javascript\ |/e:Jscript\ |/e:vbscript\ )</field>
    </rule>
    <rule id="901941" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:cscript\.exe|mshta\.exe|wscript\.exe)$</field>
    </rule>
    <rule id="901942" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+Temp|\\+Temporary\ Internet|\\+Windows\\+Temp</field>
    </rule>
    <rule id="901943" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Script Interpreter Execution From Suspicious Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="901944" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Suspicious Script Execution From Temp Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+mshta\.exe|\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Windows\\+Temp|\\+Temporary\ Internet|\\+AppData\\+Local\\+Temp|\\+AppData\\+Roaming\\+Temp|%TEMP%|%TMP%|%LocalAppData%\\+Temp</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ &gt;</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Out\-File</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)ConvertTo\-Json</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\-WindowStyle\ hidden\ \-Verb\ runAs</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Windows\\+system32\\+config\\+systemprofile\\+AppData\\+Local\\+Temp\\+Amazon\\+EC2\-Windows\\+</field>
    </rule>
    <rule id="901945" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious New Service Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sc\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)create</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)binPath=</field>
    </rule>
    <rule id="901946" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious New Service Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)New\-Service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-BinaryPathName</field>
    </rule>
    <rule id="901947" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Suspicious New Service Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)powershell|mshta|wscript|cscript|svchost|dllhost|cmd\ |cmd\.exe\ /c|cmd\.exe\ /k|cmd\.exe\ /r|rundll32|C:\\+Users\\+Public|\\+Downloads\\+|\\+Desktop\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+|C:\\+Windows\\+TEMP\\+|\\+AppData\\+Local\\+Temp</field>
    </rule>
    <rule id="901948" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Suspicious Service Binary Directory</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+\$Recycle\.bin|\\+Users\\+All\ Users\\+|\\+Users\\+Default\\+|\\+Users\\+Contacts\\+|\\+Users\\+Searches\\+|C:\\+Perflogs\\+|\\+config\\+systemprofile\\+|\\+Windows\\+Fonts\\+|\\+Windows\\+IME\\+|\\+Windows\\+addins\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+services\.exe|\\+svchost\.exe)$</field>
    </rule>
    <rule id="901949" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Suspicious Windows Service Tampering</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)143Svc|Acronis\ VSS\ Provider|AcronisAgent|AcrSch2Svc|Antivirus|ARSM|aswBcc|Avast\ Business\ Console\ Client\ Antivirus\ Service|avast!\ Antivirus|AVG\ Antivirus|avgAdminClient|AvgAdminServer|AVP1|BackupExec|bedbg|BITS|BrokerInfrastructure|Client\ Agent\ 7\.60|Core\ Browsing\ Protection|Core\ Mail\ Protection|Core\ Scanning\ Server|DCAgent|EhttpSr|ekrn|Enterprise\ Client\ Service|epag|EPIntegrationService|EPProtectedService|EPRedline|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|FirebirdGuardianDefaultInstance|FirebirdServerDefaultInstance|HealthTLService|MSSQLFDLauncher\$|hmpalertsvc|HMS|IISAdmin|IMANSVC|IMAP4Svc|KAVFS|KAVFSGT|kavfsslp|klbackupdisk|klbackupflt|klflt|klhk|KLIF|klim6|klkbdflt|klmouflt|klnagent|klpd|kltap|KSDE1\.0\.0|LogProcessorService|M8EndpointAgent|macmnsvc|masvc|MBAMService|MBCloudEA|MBEndpointAgent|McAfeeDLPAgentService|McAfeeEngineService|MCAFEEEVENTPARSERSRV|McAfeeFramework|MCAFEETOMCATSRV530|McShield|McTaskManager|mfefire|mfemms|mfevto|mfevtp|mfewc|MMS|mozyprobackup|MsDtsServer|MSExchange|msftesq1SPROO|msftesql\$PROD|MSOLAP\$SQL_2008|MSOLAP\$SYSTEM_BGC|MSOLAP\$TPS|MSOLAP\$TPSAMA|MSOLAPSTPS|MSOLAPSTPSAMA|mssecflt|MSSQ!I\.SPROFXENGAGEMEHT|MSSQ0SHAREPOINT|MSSQ0SOPHOS|MSSQL|MySQL|NanoServiceMain|NetMsmqActivator|ntrtscan|ofcservice|Online\ Protection\ System|OracleClientCache80|PandaAetherAgent|PccNTUpd|PDVFSService|POP3Svc|POVFSService|PSUAService|Quick\ Update\ Service|RepairService|ReportServer|ReportServer\$|RESvc|RpcEptMapper|sacsvr|SamSs|SAVAdminService|SAVService|ScSecSvc|SDRSVC|sense|SentinelAgent|SentinelHelperService|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|SntpService|Sophos|SQ1SafeOLRService|SQL\ Backups|SQL\ Server|SQLAgent|SQLBrowser|SQLsafe|SQLSERVERAGENT|SQLTELEMETRY|SQLWriter|SSISTELEMETRY130|SstpSvc|svcGenericHost|swc_service|swi_filter|swi_service|swi_update|Symantec|Telemetryserver|ThreatLockerService|TMBMServer|TmCCSF|TmFilter|TMiCRCScanService|tmlisten|TMLWCSService|TmPfw|TmPreFilter|TmProxy|TMSmartRelayService|tmusa|Trend\ Micro\ Deep\ Security\ Manager|TrueKey|UI0Detect|UTODetect|Veeam|VeeamDeploySvc|Veritas\ System\ Recovery|VSApiNt|VSS|W3Svc|wbengine|WdNisSvc|WeanClOudSve|Weems\ JY|WinDefend|wozyprobackup|WRSVC|Zoolz\ 2\ Service</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:net\.exe|net1\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ stop\ )</field>
    </rule>
    <rule id="901950" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1489</id>
        </mitre>
        <description>Suspicious Windows Service Tampering</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)143Svc|Acronis\ VSS\ Provider|AcronisAgent|AcrSch2Svc|Antivirus|ARSM|aswBcc|Avast\ Business\ Console\ Client\ Antivirus\ Service|avast!\ Antivirus|AVG\ Antivirus|avgAdminClient|AvgAdminServer|AVP1|BackupExec|bedbg|BITS|BrokerInfrastructure|Client\ Agent\ 7\.60|Core\ Browsing\ Protection|Core\ Mail\ Protection|Core\ Scanning\ Server|DCAgent|EhttpSr|ekrn|Enterprise\ Client\ Service|epag|EPIntegrationService|EPProtectedService|EPRedline|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|FirebirdGuardianDefaultInstance|FirebirdServerDefaultInstance|HealthTLService|MSSQLFDLauncher\$|hmpalertsvc|HMS|IISAdmin|IMANSVC|IMAP4Svc|KAVFS|KAVFSGT|kavfsslp|klbackupdisk|klbackupflt|klflt|klhk|KLIF|klim6|klkbdflt|klmouflt|klnagent|klpd|kltap|KSDE1\.0\.0|LogProcessorService|M8EndpointAgent|macmnsvc|masvc|MBAMService|MBCloudEA|MBEndpointAgent|McAfeeDLPAgentService|McAfeeEngineService|MCAFEEEVENTPARSERSRV|McAfeeFramework|MCAFEETOMCATSRV530|McShield|McTaskManager|mfefire|mfemms|mfevto|mfevtp|mfewc|MMS|mozyprobackup|MsDtsServer|MSExchange|msftesq1SPROO|msftesql\$PROD|MSOLAP\$SQL_2008|MSOLAP\$SYSTEM_BGC|MSOLAP\$TPS|MSOLAP\$TPSAMA|MSOLAPSTPS|MSOLAPSTPSAMA|mssecflt|MSSQ!I\.SPROFXENGAGEMEHT|MSSQ0SHAREPOINT|MSSQ0SOPHOS|MSSQL|MySQL|NanoServiceMain|NetMsmqActivator|ntrtscan|ofcservice|Online\ Protection\ System|OracleClientCache80|PandaAetherAgent|PccNTUpd|PDVFSService|POP3Svc|POVFSService|PSUAService|Quick\ Update\ Service|RepairService|ReportServer|ReportServer\$|RESvc|RpcEptMapper|sacsvr|SamSs|SAVAdminService|SAVService|ScSecSvc|SDRSVC|sense|SentinelAgent|SentinelHelperService|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|SntpService|Sophos|SQ1SafeOLRService|SQL\ Backups|SQL\ Server|SQLAgent|SQLBrowser|SQLsafe|SQLSERVERAGENT|SQLTELEMETRY|SQLWriter|SSISTELEMETRY130|SstpSvc|svcGenericHost|swc_service|swi_filter|swi_service|swi_update|Symantec|Telemetryserver|ThreatLockerService|TMBMServer|TmCCSF|TmFilter|TMiCRCScanService|tmlisten|TMLWCSService|TmPfw|TmPreFilter|TmProxy|TMSmartRelayService|tmusa|Trend\ Micro\ Deep\ Security\ Manager|TrueKey|UI0Detect|UTODetect|Veeam|VeeamDeploySvc|Veritas\ System\ Recovery|VSApiNt|VSS|W3Svc|wbengine|WdNisSvc|WeanClOudSve|Weems\ JY|WinDefend|wozyprobackup|WRSVC|Zoolz\ 2\ Service</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:net\.exe|net1\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+net\.exe|\\+net1\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:Stop\-Service\ |Remove\-Service\ )</field>
    </rule>
    <rule id="901951" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1070</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Shadow Copies Deletion Using Operating Systems Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+wmic\.exe|\\+vssadmin\.exe|\\+diskshadow\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:PowerShell\.EXE|pwsh\.dll|wmic\.exe|VSSADMIN\.EXE|diskshadow\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)shadow</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
    </rule>
    <rule id="901952" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1070</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Shadow Copies Deletion Using Operating Systems Utilities</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wbadmin\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:WBADMIN\.EXE)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)catalog</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)quiet</field>
    </rule>
    <rule id="901953" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1059.005</id>
            <id>attack.t1059.001</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Windows Shell/Scripting Processes Spawning Suspicious Programs</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+rundll32\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+wmiprvse\.exe|\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+schtasks\.exe|\\+nslookup\.exe|\\+certutil\.exe|\\+bitsadmin\.exe|\\+mshta\.exe)$</field>
        <field name="win.eventdata.currentDirectory" negate="yes" type="pcre2">(?i)\\+ccmcache\\+</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+setup\-scheduledtask\.ps1</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+set\-selfhealing\.ps1</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+Program\ Files\\+Amazon\\+WorkSpacesConfig\\+Scripts\\+check\-workspacehealth\.ps1</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+nessus_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+nessus_</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+mshta\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)C:\\+MEM_Configmgr_</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+splash\.hta</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+MEM_Configmgr_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+SMSSETUP\\+BIN\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+autorun\.hta</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}</field>
    </rule>
    <rule id="901954" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Process Creation Using Sysnative Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i):\\+Windows\\+Sysnative\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Windows\\+Sysnative\\+</field>
    </rule>
    <rule id="901955" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>System File Execution Location Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe|\\+rundll32\.exe|\\+services\.exe|\\+powershell\.exe|\\+powershell_ise\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+spoolsv\.exe|\\+lsass\.exe|\\+smss\.exe|\\+csrss\.exe|\\+conhost\.exe|\\+wininit\.exe|\\+lsm\.exe|\\+winlogon\.exe|\\+explorer\.exe|\\+taskhost\.exe|\\+Taskmgr\.exe|\\+sihost\.exe|\\+RuntimeBroker\.exe|\\+smartscreen\.exe|\\+dllhost\.exe|\\+audiodg\.exe|\\+wlanext\.exe|\\+dashost\.exe|\\+schtasks\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+wsl\.exe|\\+bitsadmin\.exe|\\+atbroker\.exe|\\+bcdedit\.exe|\\+certutil\.exe|\\+certreq\.exe|\\+cmstp\.exe|\\+consent\.exe|\\+defrag\.exe|\\+dism\.exe|\\+dllhst3g\.exe|\\+eventvwr\.exe|\\+msiexec\.exe|\\+runonce\.exe|\\+winver\.exe|\\+logonui\.exe|\\+userinit\.exe|\\+dwm\.exe|\\+LsaIso\.exe|\\+ntoskrnl\.exe|\\+wsmprovhost\.exe|\\+dfrgui\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+SystemRoot\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+PowerShell\\+7\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+PowerShell\\+7\-preview\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+WindowsApps\\+MicrosoftCorporationII\.WindowsSubsystemForLinux)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+wsl\.exe)$</field>
    </rule>
    <rule id="901956" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1134</id>
            <id>attack.t1003</id>
            <id>attack.t1027</id>
        </mitre>
        <description>Suspicious SYSTEM User Process Creation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+wscript\.exe|\\+cscript\.exe|\\+hh\.exe|\\+mshta\.exe|\\+forfiles\.exe|\\+ping\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-NoP\ |\ \-W\ Hidden\ |\ \-decode\ |\ /decode\ |\ /urlcache\ |\ \-urlcache\ |\ \-e.+\ JAB|\ \-e.+\ SUVYI|\ \-e.+\ SQBFAFgA|\ \-e.+\ aWV4I|\ \-e.+\ IAB|\ \-e.+\ PAA|\ \-e.+\ aQBlAHgA|vssadmin\ delete\ shadows|reg\ SAVE\ HKLM|\ \-ma\ |Microsoft\\+Windows\\+CurrentVersion\\+Run|\.downloadstring$|\.downloadfile\(|\ /ticket:|dpapi::|event::clear|event::drop|id::modify|kerberos::|lsadump::|misc::|privilege::|rpc::|sekurlsa::|sid::|token::|vault::cred|vault::list|\ p::d\ |;iex\(|MiniDump|net\ user\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:ping\ 127\.0\.0\.1\ \-n\ 5)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PING\.EXE)$</field>
        <field name="win.eventdata.parentCommandLine" negate="yes" type="pcre2">(?i)\\+DismFoDInstall\.cmd</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Packages\\+Plugins\\+Microsoft\.GuestConfiguration\.ConfigurationforWindows\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\ \(x86$\\+Java\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Java\\+</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+bin\\+javaws\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Java\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Java\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+bin\\+jp2launcher\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-ma\ )</field>
    </rule>
    <rule id="901957" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1552.006</id>
        </mitre>
        <description>Suspicious SYSVOL Domain Group Policy Access</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+SYSVOL\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+policies\\+</field>
    </rule>
    <rule id="901958" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Suspicious Userinit Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+userinit\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+netlogon\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)^(?:explorer\.exe)$</field>
    </rule>
    <rule id="901959" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Malicious Windows Script Components File Execution by TAEF Detection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+te\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+te\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:\\+te\.exe)$</field>
    </rule>
    <rule id="901960" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1218</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Malicious PE Execution by Microsoft Visual Studio Debugger</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+vsjitdebugger\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+vsimmersiveactivatehelper.+\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+devenv\.exe)$</field>
    </rule>
    <rule id="901961" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Weak or Abused Passwords In CLI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)123456789|123123qwE|Asd123\.aaaa|Decryptme|P@ssw0rd!|Pass8080|password123|test@202</field>
    </rule>
    <rule id="901962" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Usage Of Web Request Commands And Cmdlets</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\[System\.Net\.WebRequest\]::create|curl\ |Invoke\-RestMethod|Invoke\-WebRequest|iwr\ |Net\.WebClient|Resume\-BitsTransfer|Start\-BitsTransfer|wget\ |WinHttp\.WinHttpRequest</field>
    </rule>
    <rule id="901963" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>WhoAmI as Parameter</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ whoami</field>
    </rule>
    <rule id="901964" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execution via WorkFolders.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+control\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WorkFolders\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+control\.exe)$</field>
    </rule>
    <rule id="901965" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
        </mitre>
        <description>Suspect Svchost Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rpcnet\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rpcnetp\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901966" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1190</id>
            <id>attack.lateral_movement</id>
            <id>attack.t1210</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Terminal Service Process Spawn</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\\+svchost\.exe</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)termsvcs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rdpclip\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+csrss\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+wininit\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+winlogon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901967" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.005</id>
        </mitre>
        <description>Uncommon Svchost Parent Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+Mrt\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+rpcnet\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+services\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="901968" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Potential Execution of Sysinternals Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-accepteula)</field>
    </rule>
    <rule id="901969" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Memory Dumping Activity Via LiveKD</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+livekd\.exe|\\+livekd64\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:livekd\.exe)$</field>
    </rule>
    <rule id="901970" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Procdump Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+procdump\.exe|\\+procdump64\.exe)$</field>
    </rule>
    <rule id="901971" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential SysInternals ProcDump Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)copy\ procdump|move\ procdump</field>
    </rule>
    <rule id="901972" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential SysInternals ProcDump Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:copy\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.dmp\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)2\.dmp|lsass|out\.dmp</field>
    </rule>
    <rule id="901973" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential SysInternals ProcDump Evasion</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)copy\ lsass\.exe_|move\ lsass\.exe_</field>
    </rule>
    <rule id="901974" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569</id>
            <id>attack.t1021</id>
        </mitre>
        <description>Psexec Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+psexec\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:psexec\.c)$</field>
    </rule>
    <rule id="901975" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Potential PsExec Remote Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)accepteula</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \\+</field>
    </rule>
    <rule id="901976" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>PsExec Service Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+PSEXESVC\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:psexesvc\.exe)$</field>
    </rule>
    <rule id="901977" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>PsExec Service Child Process Execution as LOCAL SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+PSEXESVC\.exe)$</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
    </rule>
    <rule id="901978" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Sysinternals PsService Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:psservice\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+PsService\.exe|\\+PsService64\.exe)$</field>
    </rule>
    <rule id="901979" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.persistence</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>Sysinternals PsSuspend Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:pssuspend\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+pssuspend\.exe|\\+pssuspend64\.exe)$</field>
    </rule>
    <rule id="901980" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1485</id>
        </mitre>
        <description>Potential File Overwrite Via Sysinternals SDelete</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sdelete\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-h</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-c</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ \-z</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\ /\\+.</field>
    </rule>
    <rule id="901981" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1587.001</id>
        </mitre>
        <description>Potential Privilege Escalation To LOCAL SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\ \-s\ cmd|\ \-s\ \-i\ cmd|\ \-i\ \-s\ cmd|\ \-s\ pwsh|\ \-s\ \-i\ pwsh|\ \-i\ \-s\ pwsh|\ \-s\ powershell|\ \-s\ \-i\ powershell|\ \-i\ \-s\ powershell)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)paexec</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)PsExec</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)accepteula</field>
    </rule>
    <rule id="901982" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potential Binary Impersonating Sysinternals Tools</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+accesschk\.exe|\\+accesschk64\.exe|\\+AccessEnum\.exe|\\+ADExplorer\.exe|\\+ADExplorer64\.exe|\\+ADInsight\.exe|\\+ADInsight64\.exe|\\+adrestore\.exe|\\+adrestore64\.exe|\\+Autologon\.exe|\\+Autologon64\.exe|\\+Autoruns\.exe|\\+Autoruns64\.exe|\\+autorunsc\.exe|\\+autorunsc64\.exe|\\+Bginfo\.exe|\\+Bginfo64\.exe|\\+Cacheset\.exe|\\+Cacheset64\.exe|\\+Clockres\.exe|\\+Clockres64\.exe|\\+Contig\.exe|\\+Contig64\.exe|\\+Coreinfo\.exe|\\+Coreinfo64\.exe|\\+CPUSTRES\.EXE|\\+CPUSTRES64\.EXE|\\+ctrl2cap\.exe|\\+Dbgview\.exe|\\+dbgview64\.exe|\\+Desktops\.exe|\\+Desktops64\.exe|\\+disk2vhd\.exe|\\+disk2vhd64\.exe|\\+diskext\.exe|\\+diskext64\.exe|\\+Diskmon\.exe|\\+Diskmon64\.exe|\\+DiskView\.exe|\\+DiskView64\.exe|\\+du\.exe|\\+du64\.exe|\\+efsdump\.exe|\\+FindLinks\.exe|\\+FindLinks64\.exe|\\+handle\.exe|\\+handle64\.exe|\\+hex2dec\.exe|\\+hex2dec64\.exe|\\+junction\.exe|\\+junction64\.exe|\\+ldmdump\.exe|\\+listdlls\.exe|\\+listdlls64\.exe|\\+livekd\.exe|\\+livekd64\.exe|\\+loadOrd\.exe|\\+loadOrd64\.exe|\\+loadOrdC\.exe|\\+loadOrdC64\.exe|\\+logonsessions\.exe|\\+logonsessions64\.exe|\\+movefile\.exe|\\+movefile64\.exe|\\+notmyfault\.exe|\\+notmyfault64\.exe|\\+notmyfaultc\.exe|\\+notmyfaultc64\.exe|\\+ntfsinfo\.exe|\\+ntfsinfo64\.exe|\\+pendmoves\.exe|\\+pendmoves64\.exe|\\+pipelist\.exe|\\+pipelist64\.exe|\\+portmon\.exe|\\+procdump\.exe|\\+procdump64\.exe|\\+procexp\.exe|\\+procexp64\.exe|\\+Procmon\.exe|\\+Procmon64\.exe|\\+psExec\.exe|\\+psExec64\.exe|\\+psfile\.exe|\\+psfile64\.exe|\\+psGetsid\.exe|\\+psGetsid64\.exe|\\+psInfo\.exe|\\+psInfo64\.exe|\\+pskill\.exe|\\+pskill64\.exe|\\+pslist\.exe|\\+pslist64\.exe|\\+psLoggedon\.exe|\\+psLoggedon64\.exe|\\+psloglist\.exe|\\+psloglist64\.exe|\\+pspasswd\.exe|\\+pspasswd64\.exe|\\+psping\.exe|\\+psping64\.exe|\\+psService\.exe|\\+psService64\.exe|\\+psshutdown\.exe|\\+psshutdown64\.exe|\\+pssuspend\.exe|\\+pssuspend64\.exe|\\+RAMMap\.exe|\\+RDCMan\.exe|\\+RegDelNull\.exe|\\+RegDelNull64\.exe|\\+regjump\.exe|\\+ru\.exe|\\+ru64\.exe|\\+sdelete\.exe|\\+sdelete64\.exe|\\+ShareEnum\.exe|\\+ShareEnum64\.exe|\\+shellRunas\.exe|\\+sigcheck\.exe|\\+sigcheck64\.exe|\\+streams\.exe|\\+streams64\.exe|\\+strings\.exe|\\+strings64\.exe|\\+sync\.exe|\\+sync64\.exe|\\+Sysmon\.exe|\\+Sysmon64\.exe|\\+tcpvcon\.exe|\\+tcpvcon64\.exe|\\+tcpview\.exe|\\+tcpview64\.exe|\\+Testlimit\.exe|\\+Testlimit64\.exe|\\+vmmap\.exe|\\+vmmap64\.exe|\\+Volumeid\.exe|\\+Volumeid64\.exe|\\+whois\.exe|\\+whois64\.exe|\\+Winobj\.exe|\\+Winobj64\.exe|\\+ZoomIt\.exe|\\+ZoomIt64\.exe)$</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)^(?:Sysinternals\ \-\ www\.sysinternals\.com)$</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)^(?:Sysinternals)$</field>
        <field name="win.eventdata.company" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="901983" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059</id>
        </mitre>
        <description>Sysprep on AppData Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+sysprep\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+</field>
    </rule>
    <rule id="901984" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1082</id>
        </mitre>
        <description>Suspicious Execution of Systeminfo</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+systeminfo\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:sysinfo\.exe)$</field>
    </rule>
    <rule id="901985" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1222.001</id>
        </mitre>
        <description>Suspicious Recursive Takeown</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+takeown\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/f\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/r</field>
    </rule>
    <rule id="901986" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.exfiltration</id>
            <id>attack.t1048</id>
        </mitre>
        <description>Tap Installer Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tapinstall\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Avast\ Software\\+SecureLine\ VPN\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Avast\ Software\\+SecureLine\ VPN\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+OpenVPN\ Connect\\+drivers\\+tap\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Proton\ Technologies\\+ProtonVPNTap\\+installer\\+</field>
    </rule>
    <rule id="901987" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Taskkill Symantec Endpoint Protection</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)taskkill</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /F\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ /IM\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ccSvcHst\.exe</field>
    </rule>
    <rule id="901988" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Taskmgr as LOCAL_SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+taskmgr\.exe)$</field>
    </rule>
    <rule id="901989" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036</id>
        </mitre>
        <description>New Process Created Via Taskmgr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+taskmgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+mmc\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+resmon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+Taskmgr\.exe)$</field>
    </rule>
    <rule id="901990" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1528</id>
        </mitre>
        <description>Potentially Suspicious Command Targeting Teams Sensitive Files</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+Microsoft\\+Teams\\+Cookies|\\+Microsoft\\+Teams\\+Local\ Storage\\+leveldb</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
    </rule>
    <rule id="901991" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Suspicious TSCON Start as SYSTEM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+tscon\.exe)$</field>
    </rule>
    <rule id="901992" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.t1563.002</id>
            <id>attack.t1021.001</id>
            <id>car.2013-07-002</id>
        </mitre>
        <description>Suspicious RDP Redirect Using TSCON</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /dest:rdp\-tcp\#</field>
    </rule>
    <rule id="901993" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using ChangePK and SLUI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+changepk\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+slui\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="901994" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Disk Cleanup</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:"\\+system32\\+cleanmgr\.exe\ /autoclean\ /d\ C:)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+svchost\.exe\ \-k\ netsvcs\ \-p\ \-s\ Schedule)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="901995" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1218.003</id>
            <id>attack.g0069</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP UAC Bypass via COM Object Access</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+DllHost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\ /Processid:\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\}|\ /Processid:\{3E000D72\-A845\-4CD9\-BD83\-80C07C3B881F\}|\ /Processid:\{BD54C901\-076B\-434E\-B6C7\-17C531F4AB41\}|\ /Processid:\{D2E7041B\-2927\-42FB\-8E9F\-7CE93B6DC937\}|\ /Processid:\{E9495B87\-D950\-4AB5\-87A5\-FF6D70BF3E90\}</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="901996" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Tools Using ComputerDefaults</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+ComputerDefaults\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Windows\\+System32</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i):\\+Program\ Files</field>
    </rule>
    <rule id="901997" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Consent and Comctl32 - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+consent\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+werfault\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="901998" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using DismHost</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+DismHost\.exe</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="901999" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC via Fodhelper.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+fodhelper\.exe)$</field>
    </rule>
    <rule id="902000" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548</id>
        </mitre>
        <description>UAC Bypass via Windows Firewall Snap-In Hijack</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+mmc\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)WF\.msc</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
    </rule>
    <rule id="902001" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass via ICMLuaUtil</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+dllhost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)/Processid:\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\}|/Processid:\{D2E7041B\-2927\-42FB\-8E9F\-7CE93B6DC937\}</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)^(?:WerFault\.exe)$</field>
    </rule>
    <rule id="902002" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IDiagnostic Profile</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+DllHost\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\ /Processid:\{12C21EA7\-2EB8\-4B55\-9249\-AC243DA8C666\}</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="902003" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using IEInstal - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+ieinstal\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:consent\.exe)$</field>
    </rule>
    <rule id="902004" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using MSConfig Token Modification - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+pkgmgr\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+msconfig\.exe"\ \-5)$</field>
    </rule>
    <rule id="902005" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using NTFS Reparse Point - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+wusa\.exe"\ \ /quiet\ C:\\+Users\\+)</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+update\.msu)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="902006" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using NTFS Reparse Point - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+dism\.exe"\ /online\ /quiet\ /norestart\ /add\-package\ /packagepath:"C:\\+Windows\\+system32\\+pe386"\ /ignorecheck)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)C:\\+Users\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+dismhost\.exe\ \{</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+DismHost\.exe)$</field>
    </rule>
    <rule id="902007" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using PkgMgr and DISM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+pkgmgr\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dism\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="902008" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Potential UAC Bypass Via Sdclt.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:sdclt\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High)$</field>
    </rule>
    <rule id="902009" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>TrustedPath UAC Bypass Pattern</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Windows\ \\+System32\\+</field>
    </rule>
    <rule id="902010" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Abusing Winsat Path Parsing - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+system32\\+winsat\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)C:\\+Windows\ \\+system32\\+winsat\.exe</field>
    </rule>
    <rule id="902011" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Media\ Player\\+osk\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="902012" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+mmc\.exe"\ "C:\\+Windows\\+system32\\+eventvwr\.msc"\ /s)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="902013" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC via WSReset.exe</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsreset\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+conhost\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="yes" type="pcre2">(?i)^(?:CONHOST\.EXE)$</field>
    </rule>
    <rule id="902014" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass WSReset</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsreset\.exe)$</field>
        <field name="win.eventdata.integrityLevel" negate="no" type="pcre2">(?i)^(?:High|System)$</field>
    </rule>
    <rule id="902015" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1219</id>
        </mitre>
        <description>Use of UltraVNC Remote Access Software</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:VNCViewer)$</field>
        <field name="win.eventdata.product" negate="no" type="pcre2">(?i)^(?:UltraVNC\ VNCViewer)$</field>
        <field name="win.eventdata.company" negate="no" type="pcre2">(?i)^(?:UltraVNC)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:VNCViewer\.exe)$</field>
    </rule>
    <rule id="902016" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.g0047</id>
            <id>attack.t1021.005</id>
        </mitre>
        <description>Suspicious UltraVNC Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-autoreconnect\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-connect\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-id:</field>
    </rule>
    <rule id="902017" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Uninstall Crowdstrike Falcon Sensor</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+WindowsSensor\.exe</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /uninstall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /quiet</field>
    </rule>
    <rule id="902018" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1037.001</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Uncommon Userinit Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+userinit\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+explorer\.exe)$</field>
    </rule>
    <rule id="902019" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1037.001</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Uncommon Userinit Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+userinit\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)netlogon\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)UsrLogon\.cmd</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:PowerShell\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+proquota\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+proquota\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Citrix\\+HDX\\+bin\\+cmstart\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Citrix\\+HDX\\+bin\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\ $x86$\\+Citrix\\+System32\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+HDX\\+bin\\+cmstart\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+HDX\\+bin\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Citrix\\+System32\\+icast\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="902020" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.006</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Detect Virtualbox Driver Installation OR Starting Of VMs</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)VBoxRT\.dll,RTR3Init|VBoxC\.dll|VBoxDrv\.sys</field>
    </rule>
    <rule id="902021" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.006</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Detect Virtualbox Driver Installation OR Starting Of VMs</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)startvm|controlvm</field>
    </rule>
    <rule id="902022" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Suspicious VBoxDrvInst.exe Parameters</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+VBoxDrvInst\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)driver</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)executeinf</field>
    </rule>
    <rule id="902023" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1059</id>
        </mitre>
        <description>VMToolsd Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+vmtoolsd\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:Cmd\.Exe|cscript\.exe|MSHTA\.EXE|PowerShell\.EXE|pwsh\.dll|REGSVR32\.EXE|RUNDLL32\.EXE|wscript\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+poweron\-vm\-default\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+poweroff\-vm\-default\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+resume\-vm\-default\.bat</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+VMware\\+VMware\ Tools\\+suspend\-vm\-default\.bat</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="902024" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of VsCode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+code\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+cscript\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902025" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of VsCode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+code\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe|\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)Invoke\-Expressions|IEX|Invoke\-Command|ICM|DownloadString|rundll32|regsvr32|wscript|cscript</field>
    </rule>
    <rule id="902026" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Potentially Suspicious Child Process Of VsCode</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+code\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i):\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|:\\+Temp\\+</field>
    </rule>
    <rule id="902027" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ tunnel)$</field>
    </rule>
    <rule id="902028" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ tunnel</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-name\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-accept\-server\-license\-terms</field>
    </rule>
    <rule id="902029" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\ tunnel)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)code\-server\.cmd</field>
    </rule>
    <rule id="902030" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Shell Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+server\\+node\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.vscode\-server</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+terminal\\+browser\\+media\\+shellIntegration\.ps1</field>
    </rule>
    <rule id="902031" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Shell Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+server\\+node\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)\.vscode\-server</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe|\\+bash\.exe)$</field>
    </rule>
    <rule id="902032" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\.exe\ tunnel)$</field>
    </rule>
    <rule id="902033" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\.exe\ tunnel</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\-\-name\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-accept\-server\-license\-terms</field>
    </rule>
    <rule id="902034" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)internal\-run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel\-service\.log</field>
    </rule>
    <rule id="902035" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\-tunnel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+code\.exe)$</field>
    </rule>
    <rule id="902036" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)(?:\ tunnel)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:/d\ /c\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+servers\\+Stable\-</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)code\-server\.cmd</field>
    </rule>
    <rule id="902037" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Renamed Visual Studio Code Tunnel Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+code\-tunnel\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+code\.exe)$</field>
    </rule>
    <rule id="902038" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1071.001</id>
        </mitre>
        <description>Visual Studio Code Tunnel Service Installation</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:tunnel\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)service</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)internal\-run</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)tunnel\-service\.log</field>
    </rule>
    <rule id="902039" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Suspicious Vsls-Agent Command With AgentExtensionPath Load</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+vsls\-agent\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\-\-agentExtensionPath</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Microsoft\.VisualStudio\.LiveShare\.Agent\.</field>
    </rule>
    <rule id="902040" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Wab Execution From Non Default Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wab\.exe|\\+wabmig\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Mail\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Windows\ Mail\\+)</field>
    </rule>
    <rule id="902041" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Wab/Wabmig Unusual Parent Or Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe|\\+svchost\.exe|\\+dllhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wab\.exe|\\+wabmig\.exe)$</field>
    </rule>
    <rule id="902042" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
        </mitre>
        <description>Wab/Wabmig Unusual Parent Or Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wab\.exe|\\+wabmig\.exe)$</field>
    </rule>
    <rule id="902043" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1204</id>
        </mitre>
        <description>Potentially Suspicious WebDAV LNK Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wscript\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\\+DavWWWRoot\\+</field>
    </rule>
    <rule id="902044" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+caddy\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+w3wp\.exe|\\+ws_tomcatservice\.exe)$</field>
    </rule>
    <rule id="902045" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902046" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)catalina\.jar|CATALINA_HOME</field>
    </rule>
    <rule id="902047" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
    </rule>
    <rule id="902048" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-hp</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ a\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-m</field>
    </rule>
    <rule id="902049" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)net</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ user\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /add</field>
    </rule>
    <rule id="902050" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)net</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ localgroup\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ administrators\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/add</field>
    </rule>
    <rule id="902051" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+ntdsutil\.exe|\\+ldifde\.exe|\\+adfind\.exe|\\+procdump\.exe|\\+Nanodump\.exe|\\+vssadmin\.exe|\\+fsutil\.exe)$</field>
    </rule>
    <rule id="902052" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Hacking Activity Patterns</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-decode\ |\ \-NoP\ |\ \-W\ Hidden\ |\ /decode\ |\ /ticket:|\ sekurlsa|\.dmp\ full|\.downloadfile\(|\.downloadstring\(|FromBase64String|process\ call\ create|reg\ save\ |whoami\ /priv</field>
    </rule>
    <rule id="902053" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+w3wp\.exe|\\+php\-cgi\.exe|\\+nginx\.exe|\\+httpd\.exe|\\+caddy\.exe|\\+ws_tomcatservice\.exe)$</field>
    </rule>
    <rule id="902054" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902055" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)catalina\.jar|CATALINA_HOME</field>
    </rule>
    <rule id="902056" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:net\.exe|net1\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ user\ |\ use\ |\ group\ )</field>
    </rule>
    <rule id="902057" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:ping\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-n\ )</field>
    </rule>
    <rule id="902058" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\&amp;cd\&amp;echo|cd\ /d\ )</field>
    </rule>
    <rule id="902059" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /node:</field>
    </rule>
    <rule id="902060" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+dsquery\.exe|\\+find\.exe|\\+findstr\.exe|\\+ipconfig\.exe|\\+netstat\.exe|\\+nslookup\.exe|\\+pathping\.exe|\\+quser\.exe|\\+schtasks\.exe|\\+systeminfo\.exe|\\+tasklist\.exe|\\+tracert\.exe|\\+ver\.exe|\\+wevtutil\.exe|\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:dsquery\.exe|find\.exe|findstr\.exe|ipconfig\.exe|netstat\.exe|nslookup\.exe|pathping\.exe|quser\.exe|schtasks\.exe|sysinfo\.exe|tasklist\.exe|tracert\.exe|ver\.exe|VSSADMIN\.EXE|wevtutil\.exe|whoami\.exe)$</field>
    </rule>
    <rule id="902061" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1018</id>
            <id>attack.t1033</id>
            <id>attack.t1087</id>
        </mitre>
        <description>Webshell Detection With Command Line Keywords</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ Test\-NetConnection\ |dir\ \\+</field>
    </rule>
    <rule id="902062" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+caddy\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+php\.exe|\\+tomcat\.exe|\\+UMWorkerProcess\.exe|\\+w3wp\.exe|\\+ws_TomcatService\.exe)$</field>
    </rule>
    <rule id="902063" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902064" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentCommandLine" negate="no" type="pcre2">(?i)CATALINA_HOME|catalina\.home|catalina\.jar</field>
    </rule>
    <rule id="902065" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
            <id>attack.t1190</id>
        </mitre>
        <description>Suspicious Process By Web Server Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+arp\.exe|\\+at\.exe|\\+bash\.exe|\\+bitsadmin\.exe|\\+certutil\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+dsget\.exe|\\+hostname\.exe|\\+nbtstat\.exe|\\+net\.exe|\\+net1\.exe|\\+netdom\.exe|\\+netsh\.exe|\\+nltest\.exe|\\+ntdutil\.exe|\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+qprocess\.exe|\\+query\.exe|\\+qwinsta\.exe|\\+reg\.exe|\\+rundll32\.exe|\\+sc\.exe|\\+sh\.exe|\\+wmic\.exe|\\+wscript\.exe|\\+wusa\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:Windows\\+system32\\+cmd\.exe\ /c\ C:\\+ManageEngine\\+ADManager\ "Plus\\+ES\\+bin\\+elasticsearch\.bat\ \-Enode\.name=RMP\-NODE1\ \-pelasticsearch\-pid\.txt)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+java\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)sc\ query</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)ADManager\ Plus</field>
    </rule>
    <rule id="902066" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+caddy\.exe|\\+httpd\.exe|\\+nginx\.exe|\\+php\-cgi\.exe|\\+w3wp\.exe|\\+ws_tomcatservice\.exe)$</field>
    </rule>
    <rule id="902067" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\-tomcat\-|\\+tomcat</field>
    </rule>
    <rule id="902068" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+java\.exe|\\+javaw\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)CATALINA_HOME|catalina\.jar</field>
    </rule>
    <rule id="902069" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1505.003</id>
        </mitre>
        <description>Webshell Tool Reconnaissance Activity</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)perl\ \-\-help|perl\ \-h|python\ \-\-help|python\ \-h|python3\ \-\-help|python3\ \-h|wget\ \-\-help</field>
    </rule>
    <rule id="902070" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via WER</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+Werfault\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:WerFault\.exe)$</field>
        <field name="win.eventdata.parentUser" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.user" negate="no" type="pcre2">(?i)AUTHORI|AUTORI</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-u\ \-p\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-ip\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ \-s\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+lsass\.exe)$</field>
    </rule>
    <rule id="902071" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055</id>
            <id>attack.t1036</id>
        </mitre>
        <description>Suspicious Child Process Of Wermgr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+cscript\.exe|\\+ipconfig\.exe|\\+mshta\.exe|\\+net\.exe|\\+net1\.exe|\\+netstat\.exe|\\+nslookup\.exe|\\+powershell_ise\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+systeminfo\.exe|\\+whoami\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902072" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Suspicious Execution Location Of Wermgr.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wermgr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
    </rule>
    <rule id="902073" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami Utility Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:whoami\.exe)$</field>
    </rule>
    <rule id="902074" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution With Output Option</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:whoami\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ /FO\ CSV|\ \-FO\ CSV</field>
    </rule>
    <rule id="902075" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution With Output Option</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)whoami.+&gt;</field>
    </rule>
    <rule id="902076" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:whoami\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+powershell_ise\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+powershell\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+pwsh\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="902077" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.discovery</id>
            <id>attack.t1033</id>
            <id>car.2016-03-001</id>
        </mitre>
        <description>Whoami.EXE Execution Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+whoami\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:whoami\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?::\\+Program\ Files\\+Microsoft\ Monitoring\ Agent\\+Agent\\+MonitoringHost\.exe)$</field>
    </rule>
    <rule id="902078" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Suspicious WindowsTerminal Child Processes</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WindowsTerminal\.exe|\\+wt\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe|\\+regsvr32\.exe|\\+certutil\.exe|\\+cscript\.exe|\\+wscript\.exe|\\+csc\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)C:\\+Users\\+Public\\+|\\+Downloads\\+|\\+Desktop\\+|\\+AppData\\+Local\\+Temp\\+|\\+Windows\\+TEMP\\+</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ iex\ |\ icm|Invoke\-|Import\-Module\ |ipmo\ |DownloadString\(|\ /c\ |\ /k\ |\ /r\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Import\-Module</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Microsoft\.VisualStudio\.DevShell\.dll</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Enter\-VsDevShell</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Packages\\+Microsoft\.WindowsTerminal_</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+LocalState\\+settings\.json</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\ Visual\ Studio\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)\\+Common7\\+Tools\\+VsDevCmd\.bat</field>
    </rule>
    <rule id="902079" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Winrar Execution in Non-Standard Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe|\\+winrar\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Command\ line\ RAR)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+UnRAR\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+WinRAR\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+WinRAR\\+</field>
    </rule>
    <rule id="902080" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.collection</id>
            <id>attack.t1560.001</id>
        </mitre>
        <description>Winrar Execution in Non-Standard Folder</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rar\.exe|\\+winrar\.exe)$</field>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)^(?:Command\ line\ RAR)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="902081" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1216</id>
        </mitre>
        <description>AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)winrm</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)format:pretty|format:"pretty"|format:"text"|format:text</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="902082" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
            <id>attack.t1021.006</id>
        </mitre>
        <description>Remote PowerShell Session Host Process (WinRM)</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
    </rule>
    <rule id="902083" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1190</id>
            <id>attack.initial_access</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
        </mitre>
        <description>Suspicious Processes Spawned by WinRM</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsmprovhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+sh\.exe|\\+bash\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+wsl\.exe|\\+schtasks\.exe|\\+certutil\.exe|\\+whoami\.exe|\\+bitsadmin\.exe)$</field>
    </rule>
    <rule id="902084" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Wlrmdr.EXE Uncommon Argument Or Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wlrmdr\.exe)$</field>
    </rule>
    <rule id="902085" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Wlrmdr.EXE Uncommon Argument Or Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wlrmdr\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:WLRMNDR\.EXE)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-s\ |\-f\ |\-t\ |\-m\ |\-a\ |\-u\ )</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+winlogon\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:\-)$</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="902086" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>New ActiveScriptEventConsumer Created Via Wmic.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)ActiveScriptEventConsumer</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:\ CREATE\ )</field>
    </rule>
    <rule id="902087" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Process Reconnaissance Via Wmic.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WMIC\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)process</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)call</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)create</field>
    </rule>
    <rule id="902088" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>WMIC Remote Command Execution</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+WMIC\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wmic\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/node:</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/node:127\.0\.0\.1\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/node:localhost\ )</field>
    </rule>
    <rule id="902089" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Suspicious Process Created Via Wmic.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:process\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:call\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:create\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32|bitsadmin|regsvr32|cmd\.exe\ /c\ |cmd\.exe\ /k\ |cmd\.exe\ /r\ |cmd\ /c\ |cmd\ /k\ |cmd\ /r\ |powershell|pwsh|certutil|cscript|wscript|mshta|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+|%temp%|%tmp%|%ProgramData%|%appdata%|%comspec%|%localappdata%</field>
    </rule>
    <rule id="902090" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)wmic</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:product\ where\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)call</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)uninstall</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/nointeractive</field>
    </rule>
    <rule id="902091" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)wmic</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:caption\ like\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)call\ delete|call\ terminate</field>
    </rule>
    <rule id="902092" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:process\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)(?:where\ )</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)delete</field>
    </rule>
    <rule id="902093" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential Tampering With Security Products Via WMIC</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)%carbon%|%cylance%|%endpoint%|%eset%|%malware%|%Sophos%|%symantec%|Antivirus|AVG\ |Carbon\ Black|CarbonBlack|Cb\ Defense\ Sensor\ 64\-bit|Crowdstrike\ Sensor|Cylance\ |Dell\ Threat\ Defense|DLP\ Endpoint|Endpoint\ Detection|Endpoint\ Protection|Endpoint\ Security|Endpoint\ Sensor|ESET\ File\ Security|LogRhythm\ System\ Monitor\ Service|Malwarebytes|McAfee\ Agent|Microsoft\ Security\ Client|Sophos\ Anti\-Virus|Sophos\ AutoUpdate|Sophos\ Credential\ Store|Sophos\ Management\ Console|Sophos\ Management\ Database|Sophos\ Management\ Server|Sophos\ Remote\ Management\ System|Sophos\ Update\ Manager|Threat\ Protection|VirusScan|Webroot\ SecureAnywhere|Windows\ Defender</field>
    </rule>
    <rule id="902094" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1220</id>
        </mitre>
        <description>XSL Script Execution Via WMIC.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wmic\.exe)$</field>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:\-format)</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:List</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:htable</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:hform</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:table</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:mof</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:value</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:rawxml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:xml</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)Format:csv</field>
    </rule>
    <rule id="902095" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
        </mitre>
        <description>WmiPrvSE Spawned A Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+WmiPrvSe\.exe)$</field>
        <field name="win.eventdata.logonId" negate="yes" type="pcre2">(?i)^(?:0x3e7)$</field>
        <field name="win.eventdata.logonId" negate="yes" type="pcre2">(?i)^(?:null)$</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.logonId" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="902096" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious WmiPrvSE Child Process</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+certutil\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+msiexec\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+verclsid\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902097" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious WmiPrvSE Child Process</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)cscript|mshta|powershell|pwsh|regsvr32|rundll32|wscript</field>
    </rule>
    <rule id="902098" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1047</id>
            <id>attack.t1204.002</id>
            <id>attack.t1218.010</id>
        </mitre>
        <description>Suspicious WmiPrvSE Child Process</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wbem\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WerFault\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WmiPrvSE\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:/i\ )</field>
    </rule>
    <rule id="902099" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Backdoor Exchange Transport Agent</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+EdgeTransport\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+conhost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\\+Exchange\ Server\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Bin\\+OleConverter\.exe)$</field>
    </rule>
    <rule id="902100" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Persistence - Script Event Consumer</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+wbem\\+scrcons\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
    </rule>
    <rule id="902101" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1542.001</id>
        </mitre>
        <description>UEFI Persistence Via Wpbbin - ProcessCreation</description>
        <options>no_full_log</options>
        <group>windows,process_creation,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+wpbbin\.exe)$</field>
    </rule>
    <rule id="902102" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
    </rule>
    <rule id="902103" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)mshta</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)http</field>
    </rule>
    <rule id="902104" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)rundll32|regsvr32|msiexec</field>
    </rule>
    <rule id="902105" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Cscript/Wscript Potentially Suspicious Child Process</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wscript\.exe|\\+cscript\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+cmd\.exe|\\+powershell\.exe|\\+pwsh\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)UpdatePerUserSystemParameters</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)PrintUIEntry</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)ClearMyTracksByProcess</field>
    </rule>
    <rule id="902106" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>WSL Child Process Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe|\\+wslhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+calc\.exe|\\+cmd\.exe|\\+cscript\.exe|\\+mshta\.exe|\\+powershell\.exe|\\+pwsh\.exe|\\+regsvr32\.exe|\\+rundll32\.exe|\\+wscript\.exe)$</field>
    </rule>
    <rule id="902107" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>WSL Child Process Anomaly</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe|\\+wslhost\.exe)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|C:\\+Users\\+Public\\+|C:\\+Windows\\+Temp\\+|C:\\+Temp\\+|\\+Downloads\\+|\\+Desktop\\+</field>
    </rule>
    <rule id="902108" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Arbitrary Command Execution Using WSL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wsl\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wsl\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)\ \-e\ |\ \-\-exec|\ \-\-system|\ \-\-shell\-type\ |\ /mnt/c|\ \-\-user\ root|\ \-u\ root|\-\-debug\-shell</field>
        <field name="win.eventdata.parentImage" negate="yes" type="pcre2">(?i)(?:\\+cmd\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-d\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ \-e\ kill\ )</field>
    </rule>
    <rule id="902109" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Windows Binary Executed From WSL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)[a-zA-Z]:\\+</field>
        <field name="win.eventdata.currentDirectory" negate="no" type="pcre2">(?i)\\+wsl\.localhost</field>
    </rule>
    <rule id="902110" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.execution</id>
        </mitre>
        <description>Proxy Execution Via Wuauclt.EXE</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wuauclt\.exe)$</field>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)^(?:wuauclt\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)UpdateDeploymentProvider</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)RunHandlerComServer</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ /UpdateDeploymentProvider\ UpdateDeploymentProvider\.dll\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\ wuaueng\.dll\ )</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+Packages\\+Preview\\+amd64\\+updatedeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+UUS\\+amd64\\+UpdateDeploy\.dll\ /ClassId</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.commandLine" negate="yes" type="pcre2">(?i)(?:\\+UpdateDeploy\.dll\ /ClassId\ )</field>
    </rule>
    <rule id="902111" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Wusa Extracting Cab Files</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wusa\.exe)$</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)/extract:</field>
    </rule>
    <rule id="902112" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Wusa.EXE Executed By Parent Process Located In Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wusa\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+Appdata\\+Local\\+Temp\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="902113" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>Wusa.EXE Executed By Parent Process Located In Suspicious Location</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+wusa\.exe)$</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.parentImage" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="902114" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.012</id>
        </mitre>
        <description>Potential Process Hollowing Activity</description>
        <options>no_full_log</options>
        <group>windows,process_tampering,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.type" negate="no" type="pcre2">(?i)^(?:Image\ is\ replaced)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+wbem\\+WMIADAP\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+wbem\\+WMIADAP\.exe</field>
    </rule>
    <rule id="902115" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1055.012</id>
        </mitre>
        <description>Potential Process Hollowing Activity</description>
        <options>no_full_log</options>
        <group>windows,process_tampering,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.type" negate="no" type="pcre2">(?i)^(?:Image\ is\ replaced)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Programs\\+Opera\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+opera\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+WindowsApps\\+MicrosoftEdge\.exe)$</field>
    </rule>
    <rule id="902116" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1006</id>
        </mitre>
        <description>Potential Defense Evasion Via Raw Disk Access By Uncommon Tools</description>
        <options>no_full_log</options>
        <group>windows,raw_access_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="yes" type="pcre2">(?i)floppy</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+\$WINDOWS\.\~BT\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+CCM\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+explorer\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+servicing\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SoftwareDistribution\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SystemApps\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+uus\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+WinSxS\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:Registry)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:System)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Microsoft\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Executables\\+SSDUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+HostMetadata\\+NVMEHostmetadata\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+ImmersiveControlPanel\\+SystemSettings\.exe)$</field>
    </rule>
    <rule id="902117" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1006</id>
        </mitre>
        <description>Potential Defense Evasion Via Raw Disk Access By Uncommon Tools</description>
        <options>no_full_log</options>
        <group>windows,raw_access_thread,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+GitHubDesktop\\+app\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+resources\\+app\\+git\\+mingw64\\+bin\\+git\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+Temp\\+asgard2\-agent\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+thor\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Keybase\\+upd\.exe</field>
    </rule>
    <rule id="902118" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential NetWire RAT Activity - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+software\\+NetWire</field>
    </rule>
    <rule id="902119" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Ursnif Malware Activity - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+AppDataLow\\+Software\\+Microsoft\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+Internet\ Explorer\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+RepService\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+IME\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+AppDataLow\\+Software\\+Microsoft\\+Edge\\+</field>
    </rule>
    <rule id="902120" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via New AMSI Providers - Registry</description>
        <options>no_full_log</options>
        <group>registry_add,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+AMSI\\+Providers\\+|\\+SOFTWARE\\+WOW6432Node\\+Microsoft\\+AMSI\\+Providers\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
    </rule>
    <rule id="902121" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential COM Object Hijacking Via TreatAs Subkey - Registry</description>
        <options>no_full_log</options>
        <group>registry_add,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKU\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+CLSID\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+TreatAs</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
    </rule>
    <rule id="902122" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Disk Cleanup Handler - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+VolumeCaches\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Active\ Setup\ Temp\ Folders)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+BranchCache)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Content\ Indexer\ Cleaner)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+D3D\ Shader\ Cache)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Delivery\ Optimization\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Device\ Driver\ Packages)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Diagnostic\ Data\ Viewer\ database\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Downloaded\ Program\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+DownloadsFolder)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Feedback\ Hub\ Archive\ log\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Internet\ Cache\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Language\ Pack)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\ Office\ Temp\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Offline\ Pages\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Old\ ChkDsk\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Previous\ Installations)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Recycle\ Bin)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+RetailDemo\ Offline\ Content)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Setup\ Log\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+System\ error\ memory\ dump\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+System\ error\ minidump\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Temporary\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Temporary\ Setup\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Temporary\ Sync\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Thumbnail\ Cache)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Update\ Cleanup)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Upgrade\ Discarded\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+User\ file\ versions)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ Defender)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ Error\ Reporting\ Files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ ESD\ installation\ files)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Windows\ Upgrade\ Log\ Files)$</field>
    </rule>
    <rule id="902123" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1037.001</id>
            <id>attack.persistence</id>
            <id>attack.lateral_movement</id>
        </mitre>
        <description>Potential Persistence Via Logon Scripts - Registry</description>
        <options>no_full_log</options>
        <group>registry_add,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)UserInitMprLogonScript</field>
    </rule>
    <rule id="902124" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>PUA - Sysinternal Tool Execution - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
    </rule>
    <rule id="902125" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Suspicious Execution Of Renamed Sysinternals Tools - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Active\ Directory\ Explorer|\\+Handle|\\+LiveKd|\\+ProcDump|\\+Process\ Explorer|\\+PsExec|\\+PsLoggedon|\\+PsLoglist|\\+PsPasswd|\\+PsPing|\\+PsService|\\+SDelete</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsLoggedon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsLoggedon64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsPing\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsPing64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsService\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsService64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+sdelete\.exe)$</field>
    </rule>
    <rule id="902126" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>PUA - Sysinternals Tools Execution - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_add,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Active\ Directory\ Explorer|\\+Handle|\\+LiveKd|\\+Process\ Explorer|\\+ProcDump|\\+PsExec|\\+PsLoglist|\\+PsPasswd|\\+SDelete|\\+Sysinternals</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
    </rule>
    <rule id="902127" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Folder Removed From Exploit Guard ProtectedFolders List - Registry</description>
        <options>no_full_log</options>
        <group>registry_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ Defender\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+ProtectedFolders</field>
    </rule>
    <rule id="902128" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Terminal Server Client Connection History Cleared - Registry</description>
        <options>no_full_log</options>
        <group>registry_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Terminal\ Server\ Client\\+Default\\+MRU</field>
    </rule>
    <rule id="902129" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Terminal Server Client Connection History Cleared - Registry</description>
        <options>no_full_log</options>
        <group>registry_delete,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Terminal\ Server\ Client\\+Servers\\+</field>
    </rule>
    <rule id="902130" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Removal Of AMSI Provider Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\{2781761E\-28E0\-4109\-99FE\-B9D127C57AFE\}|\{A7C452EF\-8E9F\-42EB\-9F2B\-245613CA0DC9\})$</field>
    </rule>
    <rule id="902131" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Removal of Potential COM Hijacking Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+shell\\+open\\+command)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Dropbox\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Dropbox\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Temp\\+Wireshark_uninstaller\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+wireshark\-capture\-file\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Opera\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Opera\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+installer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)peazip</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+PeaZip\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Everything\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Everything\.</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Installer\\+MSI)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Java\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+installer\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Classes\\+WOW6432Node\\+CLSID\\+\{4299124F\-F2C3\-41b4\-9C73\-9236B2AD0E8F\}</field>
    </rule>
    <rule id="902132" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Removal Of Index Value to Hide Schedule Task - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Index</field>
    </rule>
    <rule id="902133" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Removal Of SD Value to Hide Schedule Task - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_delete,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SD</field>
    </rule>
    <rule id="902134" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1136.001</id>
        </mitre>
        <description>Creation of a Local Hidden User Account by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SAM\\+SAM\\+Domains\\+Account\\+Users\\+Names\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\$)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+lsass\.exe)$</field>
    </rule>
    <rule id="902135" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Leviathan Registry Key Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+ntkd</field>
    </rule>
    <rule id="902136" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>OceanLotus Registry Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Classes\\+CLSID\\+\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\+Model</field>
    </rule>
    <rule id="902137" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>OceanLotus Registry Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+AppXc52346ec40fb4061ad96be0e6cb7d16a\\+|Classes\\+AppX3bbba44c6cae4d9695755183472171e2\\+|Classes\\+CLSID\\+\{E3517E26\-8E93\-458D\-A6DF\-8030BC80528B\}\\+|Classes\\+CLSID\\+\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\+Model</field>
    </rule>
    <rule id="902138" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.g0049</id>
            <id>attack.t1053.005</id>
            <id>attack.s0111</id>
            <id>attack.t1543.003</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.command_and_control</id>
            <id>attack.t1071.004</id>
        </mitre>
        <description>OilRig APT Registry Persistence</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+UMe|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+UT)$</field>
    </rule>
    <rule id="902139" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Pandemic Registry Key</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+services\\+null\\+Instance</field>
    </rule>
    <rule id="902140" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Via Wsreset</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\+Shell\\+open\\+command)$</field>
    </rule>
    <rule id="902141" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.execution</id>
            <id>attack.t1218.003</id>
            <id>attack.g0069</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>CMSTP Execution Registry Event</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+cmmgr32\.exe</field>
    </rule>
    <rule id="902142" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Security Events Logging Adding Reg Key MiniNt</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+MiniNt)$</field>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+MiniNt)$</field>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:CreateKey)$</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)^(?:HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+MiniNt)$</field>
    </rule>
    <rule id="902143" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Wdigest CredGuard Registry Modification</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+IsCredGuardEnabled)$</field>
    </rule>
    <rule id="902144" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.002</id>
        </mitre>
        <description>Esentutl Volume Shadow Copy Service Keys</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)System\\+CurrentControlSet\\+Services\\+VSS</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:esentutl\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)System\\+CurrentControlSet\\+Services\\+VSS\\+Start</field>
    </rule>
    <rule id="902145" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
            <id>attack.s0005</id>
        </mitre>
        <description>Windows Credential Editor Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Services\\+WCESERVICE\\+Start</field>
    </rule>
    <rule id="902146" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1608</id>
        </mitre>
        <description>HybridConnectionManager Service Installation - Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+HybridConnectionManager</field>
    </rule>
    <rule id="902147" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1608</id>
        </mitre>
        <description>HybridConnectionManager Service Installation - Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Microsoft\.HybridConnectionManager\.Listener\.exe</field>
    </rule>
    <rule id="902148" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Qakbot Registry Activity</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Software\\+firm\\+soft\\+Name)$</field>
    </rule>
    <rule id="902149" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Entries For Azorult Malware</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:12|13)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SYSTEM\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+services\\+localNETService)$</field>
    </rule>
    <rule id="902150" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>PrinterNightmare Mimikatz Driver Name</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments\\+Windows\ x64\\+Drivers\\+Version\-3\\+QMS\ 810\\+|\\+Control\\+Print\\+Environments\\+Windows\ x64\\+Drivers\\+Version\-3\\+mimikatz</field>
    </rule>
    <rule id="902151" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>PrinterNightmare Mimikatz Driver Name</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)legitprinter</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments\\+Windows</field>
    </rule>
    <rule id="902152" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204</id>
            <id>cve.2021.1675</id>
            <id>cve.2021.34527</id>
        </mitre>
        <description>PrinterNightmare Mimikatz Driver Name</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments|\\+CurrentVersion\\+Print\\+Printers</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Gentil\ Kiwi|mimikatz\ printer|Kiwi\ Legit\ Printer</field>
    </rule>
    <rule id="902153" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546.002</id>
        </mitre>
        <description>Path To Screensaver Binary Modified</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Control\ Panel\\+Desktop\\+SCRNSAVE\.EXE)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+explorer\.exe)$</field>
    </rule>
    <rule id="902154" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Narrator's Feedback-Hub Persistence</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:DeleteValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppXypsaf9f1qserqevf0sws76dx4k9a5206\\+Shell\\+open\\+command\\+DelegateExecute)$</field>
    </rule>
    <rule id="902155" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Narrator's Feedback-Hub Persistence</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppXypsaf9f1qserqevf0sws76dx4k9a5206\\+Shell\\+open\\+command\\+$Default$)$</field>
    </rule>
    <rule id="902156" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
            <id>attack.t1112</id>
        </mitre>
        <description>NetNTLM Downgrade Attack - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SYSTEM\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Lsa</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+lmcompatibilitylevel|\\+NtlmMinClientSec|\\+RestrictSendingNTLMTraffic)$</field>
    </rule>
    <rule id="902157" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.009</id>
        </mitre>
        <description>New DLL Added to AppCertDlls Registry Key</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+Session\ Manager\\+AppCertDlls)$</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)^(?:HKLM\\+SYSTEM\\+CurentControlSet\\+Control\\+Session\ Manager\\+AppCertDlls)$</field>
    </rule>
    <rule id="902158" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.010</id>
        </mitre>
        <description>New DLL Added to AppInit_DLLs Registry Key</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls|\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls)$</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls|\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Windows\\+AppInit_Dlls)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902159" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.002</id>
        </mitre>
        <description>Office Application Startup - Office Test</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Office\ test\\+Special\\+Perf</field>
    </rule>
    <rule id="902160" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.initial_access</id>
            <id>attack.t1566.001</id>
        </mitre>
        <description>Windows Registry Trust Record Modification</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Security\\+Trusted\ Documents\\+TrustRecords</field>
    </rule>
    <rule id="902161" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Registry Persistence Mechanisms in Recycle Bin</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:RenameKey)$</field>
        <field name="win.eventdata.newName" negate="no" type="pcre2">(?i)\\+CLSID\\+\{645FF040\-5081\-101B\-9F08\-00AA002F954E\}\\+shell\\+open</field>
    </rule>
    <rule id="902162" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Registry Persistence Mechanisms in Recycle Bin</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+\{645FF040\-5081\-101B\-9F08\-00AA002F954E\}\\+shell\\+open\\+command\\+$Default$</field>
    </rule>
    <rule id="902163" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.lateral_movement</id>
            <id>attack.defense_evasion</id>
            <id>attack.command_and_control</id>
            <id>attack.t1090</id>
        </mitre>
        <description>New PortProxy Registry Entry Added</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+PortProxy\\+v4tov4\\+tcp\\+</field>
    </rule>
    <rule id="902164" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RedMimicry Winnti Playbook Registry Manipulation</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)HKLM\\+SOFTWARE\\+Microsoft\\+HTMLHelp\\+data</field>
    </rule>
    <rule id="902165" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>WINEKEY Registry Modification</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Backup\ Mgr)$</field>
    </rule>
    <rule id="902166" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Run Once Task Configuration in Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Active\ Setup\\+Installed\ Components</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+StubPath)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Google\\+Chrome\\+Application\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Installer\\+chrmstp\.exe"\ \-\-configure\-user\-settings\ \-\-verbose\-logging\ \-\-system\-level</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\\+Microsoft\\+Edge\\+Application\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+Installer\\+setup\.exe"\ \-\-configure\-user\-settings\ \-\-verbose\-logging\ \-\-system\-level\ \-\-msedge\ \-\-channel=stable)$</field>
    </rule>
    <rule id="902167" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Shell Open Registry Keys Manipulation</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Classes\\+ms\-settings\\+shell\\+open\\+command\\+SymbolicLinkValue)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Software\\+Classes\\+\{</field>
    </rule>
    <rule id="902168" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Shell Open Registry Keys Manipulation</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Classes\\+ms\-settings\\+shell\\+open\\+command\\+DelegateExecute)$</field>
    </rule>
    <rule id="902169" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>attack.t1546.001</id>
        </mitre>
        <description>Shell Open Registry Keys Manipulation</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Classes\\+ms\-settings\\+shell\\+open\\+command\\+$Default$|Classes\\+exefile\\+shell\\+open\\+command\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902170" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Potential Credential Dumping Via LSASS SilentProcessExit Technique</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Microsoft\\+Windows\ NT\\+CurrentVersion\\+SilentProcessExit\\+lsass\.exe</field>
    </rule>
    <rule id="902171" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.005</id>
        </mitre>
        <description>Security Support Provider (SSP) Added to LSA Configuration</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Control\\+Lsa\\+Security\ Packages|\\+Control\\+Lsa\\+OSConfig\\+Security\ Packages)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+syswow64\\+MsiExec\.exe)$</field>
    </rule>
    <rule id="902172" level="15">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.t1546.008</id>
            <id>car.2014-11-003</id>
            <id>car.2014-11-008</id>
        </mitre>
        <description>Sticky Key Like Backdoor Usage - Registry</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+sethc\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+utilman\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+osk\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+Magnify\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+Narrator\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+DisplaySwitch\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+atbroker\.exe\\+Debugger|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options\\+HelpPane\.exe\\+Debugger)$</field>
    </rule>
    <rule id="902173" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
            <id>attack.persistence</id>
            <id>attack.t1547</id>
        </mitre>
        <description>Atbroker Registry Change</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+ATs|Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+Configuration</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+atbroker\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+Configuration</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Installer\\+MSI)</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Accessibility\\+ATs</field>
    </rule>
    <rule id="902174" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Suspicious Run Key from Download</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Downloads\\+|\\+Temporary\ Internet\ Files\\+Content\.Outlook\\+|\\+Local\ Settings\\+Temporary\ Internet\ Files\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+</field>
    </rule>
    <rule id="902175" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.t1547.008</id>
        </mitre>
        <description>DLL Load via LSASS</description>
        <options>no_full_log</options>
        <group>registry_event,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Services\\+NTDS\\+DirectoryServiceExtPt|\\+CurrentControlSet\\+Services\\+NTDS\\+LsaDbExtPt</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+lsass\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%%systemroot%%\\+system32\\+ntdsa\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%%systemroot%%\\+system32\\+lsadb\.dll)$</field>
    </rule>
    <rule id="902176" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+WBEM\\+CIMOM\\+AllowAnonymousCallback</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902177" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Registry Persistence via Service in Safe Mode</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+SafeBoot\\+Minimal\\+|\\+Control\\+SafeBoot\\+Network\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:Service)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Control\\+SafeBoot\\+Minimal\\+SAVService\\+$Default$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Control\\+SafeBoot\\+Network\\+SAVService\\+$Default$)$</field>
    </rule>
    <rule id="902178" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.010</id>
        </mitre>
        <description>Add Port Monitor Persistence in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Monitors\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Control\\+Print\\+Monitors\\+CutePDF\ Writer\ Monitor\ v4\.0\\+Driver</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:cpwmon64_v40\.dll)$</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Control\\+Print\\+Monitors\\+MONVNC\\+Driver</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Control\\+Print\\+Environments\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Drivers\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+VNC\ Printer</field>
    </rule>
    <rule id="902179" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Add Debugger Entry To AeDebug For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AeDebug\\+Debugger</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+WINDOWS\\+system32\\+vsjitdebugger\.exe"\ \-p\ %ld\ \-e\ %ld\ \-j\ 0x%p)$</field>
    </rule>
    <rule id="902180" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Allow RDP Remote Assistance Feature</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:System\\+CurrentControlSet\\+Control\\+Terminal\ Server\\+fAllowToGetHelp)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902181" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Potential AMSI COM Server Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+CLSID\\+\{fdb00e52\-a214\-4aa1\-8fba\-4357bb0072ec\}\\+InProcServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%windir%\\+system32\\+amsi\.dll)$</field>
    </rule>
    <rule id="902182" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Classes Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Classes</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Folder\\+ShellEx\\+ExtShellFolderViews|\\+Folder\\+ShellEx\\+DragDropHandlers|\\+Folder\\+Shellex\\+ColumnHandlers|\\+Filter|\\+Exefile\\+Shell\\+Open\\+Command\\+$Default$|\\+Directory\\+Shellex\\+DragDropHandlers|\\+Directory\\+Shellex\\+CopyHookHandlers|\\+CLSID\\+\{AC757296\-3522\-4E11\-9862\-C17BE5A1767E\}\\+Instance|\\+CLSID\\+\{ABE3B9A4\-257D\-4B97\-BD1A\-294AF496222E\}\\+Instance|\\+CLSID\\+\{7ED96837\-96F0\-4812\-B211\-F13C24117ED3\}\\+Instance|\\+CLSID\\+\{083863F1\-70DE\-11d0\-BD40\-00A0C911CE86\}\\+Instance|\\+Classes\\+AllFileSystemObjects\\+ShellEx\\+DragDropHandlers|\\+\.exe|\\+\.cmd|\\+ShellEx\\+PropertySheetHandlers|\\+ShellEx\\+ContextMenuHandlers</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{807583E5\-5146\-11D5\-A672\-00B0D022E945\})$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+drvinst\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+lnkfile\\+shellex\\+ContextMenuHandlers\\+</field>
    </rule>
    <rule id="902183" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Common Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ CE\ Services\\+AutoStart|\\+Software\\+Wow6432Node\\+Microsoft\\+Command\ Processor\\+Autorun|\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Active\ Setup\\+Installed\ Components|\\+SOFTWARE\\+Microsoft\\+Windows\ CE\ Services\\+AutoStartOnDisconnect|\\+SOFTWARE\\+Microsoft\\+Windows\ CE\ Services\\+AutoStartOnConnect|\\+SYSTEM\\+Setup\\+CmdLine|\\+Software\\+Microsoft\\+Ctf\\+LangBarAddin|\\+Software\\+Microsoft\\+Command\ Processor\\+Autorun|\\+SOFTWARE\\+Microsoft\\+Active\ Setup\\+Installed\ Components|\\+SOFTWARE\\+Classes\\+Protocols\\+Handler|\\+SOFTWARE\\+Classes\\+Protocols\\+Filter|\\+SOFTWARE\\+Classes\\+Htmlfile\\+Shell\\+Open\\+Command\\+$Default$|\\+Environment\\+UserInitMprLogonScript|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+Control\ Panel\\+Desktop\\+Scrnsave\.exe|\\+Software\\+Microsoft\\+Internet\ Explorer\\+UrlSearchHooks|\\+SOFTWARE\\+Microsoft\\+Internet\ Explorer\\+Desktop\\+Components|\\+Software\\+Classes\\+Clsid\\+\{AB8902B4\-09CA\-4bb6\-B78D\-A8F59079A8D5\}\\+Inprocserver32|\\+Control\ Panel\\+Desktop\\+Scrnsave\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Office\\+ClickToRun\\+REGISTRY\\+MACHINE\\+Software\\+Classes\\+PROTOCOLS\\+Handler\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ClickToRunStore\\+HKMU\\+SOFTWARE\\+Classes\\+PROTOCOLS\\+Handler\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{314111c7\-a502\-11d2\-bbca\-00c04f8ec294\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{3459B272\-CC19\-4448\-86C9\-DDC3B4B2FAD3\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{42089D2D\-912D\-4018\-9087\-2B87803E93FB\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{5504BE45\-A83B\-4808\-900A\-3A5C36E7F77A\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{807583E5\-5146\-11D5\-A672\-00B0D022E945\})$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Active\ Setup\\+Installed\ Components\\+\{8A69D345\-D564\-463c\-AFF1\-A69D9E530F96\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Active\ Setup\\+Installed\ Components\\+\{9459C573\-B17A\-45AE\-9F64\-1857B5D58CEE\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Software\\+Microsoft\\+Active\ Setup\\+Installed\ Components\\+\{89820200\-ECBD\-11cf\-8B85\-00AA005B4383\}</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
    </rule>
    <rule id="902184" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>CurrentControlSet Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+Control</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Terminal\ Server\\+WinStations\\+RDP\-Tcp\\+InitialProgram|\\+Terminal\ Server\\+Wds\\+rdpwd\\+StartupPrograms|\\+SecurityProviders\\+SecurityProviders|\\+SafeBoot\\+AlternateShell|\\+Print\\+Providers|\\+Print\\+Monitors|\\+NetworkProvider\\+Order|\\+Lsa\\+Notification\ Packages|\\+Lsa\\+Authentication\ Packages|\\+BootVerificationProgram\\+ImagePath</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Print\\+Monitors\\+CutePDF\ Writer\ Monitor</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:cpwmon64_v40\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:CutePDF\ Writer)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Print\\+Monitors\\+Appmon\\+Ports\\+Microsoft\.Office\.OneNote_</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTHORI</field>
        <field name="win.eventdata.user" negate="yes" type="pcre2">(?i)AUTORI</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+NetworkProvider\\+Order\\+ProviderOrder)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+spoolsv\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Print\\+Monitors\\+MONVNC\\+Driver)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:VNCpm\.dll)$</field>
    </rule>
    <rule id="902185" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>CurrentVersion Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ShellServiceObjectDelayLoad|\\+Run\\+|\\+RunOnce\\+|\\+RunOnceEx\\+|\\+RunServices\\+|\\+RunServicesOnce\\+|\\+Policies\\+System\\+Shell|\\+Policies\\+Explorer\\+Run|\\+Group\ Policy\\+Scripts\\+Startup|\\+Group\ Policy\\+Scripts\\+Shutdown|\\+Group\ Policy\\+Scripts\\+Logon|\\+Group\ Policy\\+Scripts\\+Logoff|\\+Explorer\\+ShellServiceObjects|\\+Explorer\\+ShellIconOverlayIdentifiers|\\+Explorer\\+ShellExecuteHooks|\\+Explorer\\+SharedTaskScheduler|\\+Explorer\\+Browser\ Helper\ Objects|\\+Authentication\\+PLAP\ Providers|\\+Authentication\\+Credential\ Providers|\\+Authentication\\+Credential\ Provider\ Filters</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+NgcFirst\\+ConsecutiveSwitchCount)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+Update\\+OneDriveSetup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Roaming\\+Spotify\\+Spotify\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+WebEx\\+WebexHost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+devicecensus\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+winsat\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ OneDrive\\+StandaloneUpdater\\+OneDriveSetup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ OneDrive\\+Update\\+OneDriveSetup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ OneDrive\\+Update\\+OneDriveSetup\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+KeePass\ Password\ Safe\ 2\\+ShInstUtil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Everything\\+Everything\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+LogonUI\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{D6886603\-9D2F\-4EB2\-B667\-1971041FA96B\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{BEC09223\-B018\-416D\-A0AC\-523971B639F5\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{8AF662BF\-65A0\-4D0A\-A540\-A338A999D36F\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Authentication\\+Credential\ Providers\\+\{27FBDB57\-B613\-4AF2\-9D7E\-4FA7A66C21AD\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeUpdate\\+Install\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeWebView\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Edge\\+Application\\+msedge\.exe)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)DropboxExt</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:A251\-47B7\-93E1\-CDD82E34AF8B\})$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Opera\ Browser\ Assistant)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Opera\\+assistant\\+browser_assistant\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+iTunesHelper)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+Program\ Files\\+iTunes\\+iTunesHelper\.exe")$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+zoommsirepair)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+Program\ Files\\+Zoom\\+bin\\+installer\.exe"\ /repair)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Greenshot)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Greenshot\\+Greenshot\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+GoogleDriveFS)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Google\\+Drive\ File\ Stream\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+GoogleDriveFS\.exe</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)GoogleDrive</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{CFE8B367\-77A7\-41D7\-9C90\-75D16D7DC6B6\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{A8E52322\-8734\-481D\-A7E2\-27B309EF8D56\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{C973DA94\-CBDF\-4E77\-81D1\-E5B794FBD146\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{51EF1569\-67EE\-4AD6\-9646\-E726C3FFC8A2\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+cmd\.exe\ /q\ /c\ rmdir\ /s\ /q\ "C:\\+Users\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+cmd\.exe\ /q\ /c\ del\ /q\ "C:\\+Users\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+\{</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Package\ Cache\\+\{</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\}\\+python\-</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.exe"\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Defender\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+current\\+Teams\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Teams\\+Update\.exe\ \-\-processStart\ )</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+userinit\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:ctfmon\.exe\ /n)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+AVG\\+Antivirus\\+Setup\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+Program\ Files\\+AVG\\+Antivirus\\+AvLaunch\.exe"\ /gui)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+Program\ Files\ $x86$\\+AVG\\+Antivirus\\+AvLaunch\.exe"\ /gui)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{472083B0\-C522\-11CF\-8763\-00608CC02F24\})$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\-64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+aurora\-agent\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+aurora\-dashboard)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Aurora\-Agent\\+tools\\+aurora\-dashboard\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+Everything)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+Everything\\+Everything\.exe"\ \-startup)$</field>
    </rule>
    <rule id="902186" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>CurrentVersion NT Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Winlogon\\+VmApplet|\\+Winlogon\\+Userinit|\\+Winlogon\\+Taskman|\\+Winlogon\\+Shell|\\+Winlogon\\+GpExtensions|\\+Winlogon\\+AppSetup|\\+Winlogon\\+AlternateShells\\+AvailableShells|\\+Windows\\+IconServiceLib|\\+Windows\\+Appinit_Dlls|\\+Image\ File\ Execution\ Options|\\+Font\ Drivers|\\+Drivers32|\\+Windows\\+Run|\\+Windows\\+Load</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Image\ File\ Execution\ Options\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+DisableExceptionChainValidation)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+MitigationOptions)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\\+Temp\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MicrosoftEdgeUpdate\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ClickToRunStore\\+HKLM\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ClickToRun\\+REGISTRY\\+MACHINE\\+Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Winlogon\\+GPExtensions\\+\{827D319E\-6EAC\-11D2\-A4EA\-00C04F79F83A\}\\+PreviousPolicyAreas</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Winlogon\\+GPExtensions\\+\{827D319E\-6EAC\-11D2\-A4EA\-00C04F79F83A\}\\+MaxNoGPOListChangesInterval</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:DWORD\ $0x00000009$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:DWORD\ $0x000003c0$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+StandaloneUpdater\\+OneDriveSetup\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+Delete\ Cached\ Update\ Binary)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+cmd\.exe\ /q\ /c\ del\ /q\ "C:\\+Users\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+Update\\+OneDriveSetup\.exe")$</field>
    </rule>
    <rule id="902187" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Internet Explorer Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Wow6432Node\\+Microsoft\\+Internet\ Explorer|\\+Software\\+Microsoft\\+Internet\ Explorer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Toolbar|\\+Extensions|\\+Explorer\ Bars</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{2670000A\-7350\-4f3c\-8081\-5663EE0C6C49\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{31D09BA0\-12F5\-4CCE\-BE8A\-2923E76605DA\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{789FE86F\-6FC4\-46A1\-9849\-EDE0DB0C95CA\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Extensions\\+\{A95fe080\-8f5d\-11d2\-a20b\-00aa003c157a\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Toolbar\\+ShellBrowser\\+ITBar7Layout)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Toolbar\\+ShowDiscussionButton)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Toolbar\\+Locked)$</field>
    </rule>
    <rule id="902188" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Office Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Wow6432Node\\+Microsoft\\+Office|\\+Software\\+Microsoft\\+Office</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Word\\+Addins|\\+PowerPoint\\+Addins|\\+Outlook\\+Addins|\\+Onenote\\+Addins|\\+Excel\\+Addins|\\+Access\\+Addins|test\\+Special\\+Perf</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+msiexec\.exe)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+regsvr32\.exe)</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+AdHocReportingExcelClientLib\.AdHocReportingExcelClientAddIn\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+ExcelPlugInShell\.PowerMapConnect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+NativeShim\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+NativeShim\.InquireConnector\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Excel\\+Addins\\+PowerPivotExcelClientAddIn\.NativeEntry\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+AccessAddin\.DC\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+ColleagueImport\.ColleagueImportAddin\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+EvernoteCC\.EvernoteContactConnector\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+AddIns\\+EvernoteOLRD\.Connect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+Microsoft\.VbaAddinForOutlook\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OcOffice\.OcForms\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OneNote\.OutlookAddin</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OscAddin\.Connect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+OutlookChangeNotifier\.Connect\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+UCAddin\.LyncAddin\.1</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+UCAddin\.UCAddin\.1</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Outlook\\+Addins\\+UmOutlookAddin\.FormRegionAddin\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+AVG\\+Antivirus\\+RegSvr\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Office\\+Outlook\\+Addins\\+Antivirus\.AsOutExt\\+</field>
    </rule>
    <rule id="902189" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
            <id>attack.t1546.009</id>
        </mitre>
        <description>Session Manager Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+Session\ Manager</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SetupExecute|\\+S0InitialCommand|\\+KnownDlls|\\+Execute|\\+BootExecute|\\+AppCertDlls</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902190" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>System Scripts Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Policies\\+Microsoft\\+Windows\\+System\\+Scripts</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Startup|\\+Shutdown|\\+Logon|\\+Logoff</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902191" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>WinSock2 Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+WinSock2\\+Parameters</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Protocol_Catalog9\\+Catalog_Entries|\\+NameSpace_Catalog5\\+Catalog_Entries</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+MsiExec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+syswow64\\+MsiExec\.exe)$</field>
    </rule>
    <rule id="902192" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Wow6432Node CurrentVersion Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ShellServiceObjectDelayLoad|\\+Run\\+|\\+RunOnce\\+|\\+RunOnceEx\\+|\\+RunServices\\+|\\+RunServicesOnce\\+|\\+Explorer\\+ShellServiceObjects|\\+Explorer\\+ShellIconOverlayIdentifiers|\\+Explorer\\+ShellExecuteHooks|\\+Explorer\\+SharedTaskScheduler|\\+Explorer\\+Browser\ Helper\ Objects</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)C:\\+Program\ Files\ $x86$\\+Microsoft\\+EdgeUpdate\\+Install\\+\{</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+setup\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Office\\+ClickToRun\\+REGISTRY\\+MACHINE\\+Software\\+Wow6432Node\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Explorer\\+Browser\ Helper\ Objects\\+\{31D09BA0\-12F5\-4CCE\-BE8A\-2923E76605DA\}\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\-A251\-47B7\-93E1\-CDD82E34AF8B\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:grpconv\ \-o)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Program\ Files</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Dropbox\\+Client\\+Dropbox\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\ /systemstartup</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Explorer\\+Browser\ Helper\ Objects\\+\{92EF2EAD\-A7CE\-4424\-B0DB\-499CF856608E\}\\+NoExplorer)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+windowsdesktop\-runtime\-</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+WOW6432Node\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+\{e2d1ae32\-dd1d\-4ad7\-a298\-10e42e7840fc\})$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+WOW6432Node\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+\{7037b699\-7382\-448c\-89a7\-4765961d2537\})$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+ProgramData\\+Package\ Cache\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.exe"\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+ProgramData\\+Package\ Cache\\+\{d21a4f20\-968a\-4b0c\-bf04\-a38da5f06e41\}\\+windowsdesktop\-runtime\-)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+VC_redist\.x64\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\}\\+VC_redist\.x64\.exe"\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Package\ Cache)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Temp\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+winsdksetup\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+windowsdesktop\-runtime\-</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+AspNetCoreSharedFrameworkBundle\-</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\ /burn\.runonce)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Installer\\+MSI)</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Explorer\\+Browser\ Helper\ Objects</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+</field>
    </rule>
    <rule id="902193" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Wow6432Node Classes Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Wow6432Node\\+Classes</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Folder\\+ShellEx\\+ExtShellFolderViews|\\+Folder\\+ShellEx\\+DragDropHandlers|\\+Folder\\+ShellEx\\+ColumnHandlers|\\+Directory\\+Shellex\\+DragDropHandlers|\\+Directory\\+Shellex\\+CopyHookHandlers|\\+CLSID\\+\{AC757296\-3522\-4E11\-9862\-C17BE5A1767E\}\\+Instance|\\+CLSID\\+\{ABE3B9A4\-257D\-4B97\-BD1A\-294AF496222E\}\\+Instance|\\+CLSID\\+\{7ED96837\-96F0\-4812\-B211\-F13C24117ED3\}\\+Instance|\\+CLSID\\+\{083863F1\-70DE\-11d0\-BD40\-00A0C911CE86\}\\+Instance|\\+AllFileSystemObjects\\+ShellEx\\+DragDropHandlers|\\+ShellEx\\+PropertySheetHandlers|\\+ShellEx\\+ContextMenuHandlers</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902194" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Wow6432Node Windows NT CurrentVersion Autorun Keys Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Wow6432Node\\+Microsoft\\+Windows\ NT\\+CurrentVersion</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Windows\\+Appinit_Dlls|\\+Image\ File\ Execution\ Options|\\+Drivers32</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\\+REGISTRY\\+MACHINE\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Image\ File\ Execution\ Options)$</field>
    </rule>
    <rule id="902195" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New BgInfo.EXE Custom DB Path Registry Configuration</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Software\\+Winternals\\+BGInfo\\+Database)$</field>
    </rule>
    <rule id="902196" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New BgInfo.EXE Custom VBScript Registry Configuration</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Winternals\\+BGInfo\\+UserFields\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:4)</field>
    </rule>
    <rule id="902197" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New BgInfo.EXE Custom WMI Query Registry Configuration</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Winternals\\+BGInfo\\+UserFields\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:6)</field>
    </rule>
    <rule id="902198" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Blackbyte Ransomware Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+LocalAccountTokenFilterPolicy|HKLM\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+EnableLinkedConnections|HKLM\\+SYSTEM\\+CurrentControlSet\\+Control\\+FileSystem\\+LongPathsEnabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902199" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC Using DelegateExecute</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+open\\+command\\+DelegateExecute)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902200" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.010</id>
        </mitre>
        <description>Bypass UAC Using Event Viewer</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:_Classes\\+mscfile\\+shell\\+open\\+command\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%SystemRoot%\\+system32\\+mmc\.exe\ "%1"\ %)</field>
    </rule>
    <rule id="902201" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Bypass UAC Using SilentCleanup Task</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Environment\\+windir)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%SystemRoot%)$</field>
    </rule>
    <rule id="902202" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.010</id>
        </mitre>
        <description>Default RDP Port Changed to Non Standard Port</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Control\\+Terminal\ Server\\+WinStations\\+RDP\-Tcp\\+PortNumber)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:DWORD\ $0x00000d3d$)$</field>
    </rule>
    <rule id="902203" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>IE Change Domain Zone</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings\\+ZoneMap\\+Domains\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902204" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Sysmon Driver Altitude Change</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Instances\\+Sysmon\ Instance\\+Altitude)$</field>
    </rule>
    <rule id="902205" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Change Winevt Channel Access Permission Via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ChannelAccess)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)$A;;0x1;;;LA$|$A;;0x1;;;SY$|$A;;0x5;;;BA$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+servicing\\+TrustedInstaller\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+WinSxS\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
    </rule>
    <rule id="902206" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>ClickOnce Trust Prompt Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+MICROSOFT\\+\.NETFramework\\+Security\\+TrustManager\\+PromptingLevel\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Internet|\\+LocalIntranet|\\+MyComputer|\\+TrustedSites|\\+UntrustedSites)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:Enabled)$</field>
    </rule>
    <rule id="902207" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1546</id>
            <id>attack.t1548</id>
        </mitre>
        <description>COM Hijack via Sdclt</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Classes\\+Folder\\+shell\\+open\\+command\\+DelegateExecute</field>
    </rule>
    <rule id="902208" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1564</id>
            <id>attack.t1112</id>
        </mitre>
        <description>CrashControl CrashDump Disabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SYSTEM\\+CurrentControlSet\\+Control\\+CrashControl</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902209" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Service Binary in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+System\\+CurrentControlSet\\+Services\\+)</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Start)$</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+Perflogs\\+|\\+ADMIN\$\\+|\\+Temp\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$|DWORD\ $0x00000001$|DWORD\ $0x00000002$)$</field>
    </rule>
    <rule id="902210" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Service Binary in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+System\\+CurrentControlSet\\+Services\\+)</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ImagePath)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Users\\+Public\\+|\\+Perflogs\\+|\\+ADMIN\$\\+|\\+Temp\\+</field>
    </rule>
    <rule id="902211" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Service Binary in Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Common\ Files\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\+Temp\\+</field>
    </rule>
    <rule id="902212" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1202</id>
        </mitre>
        <description>Custom File Open Handler Executes PowerShell</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)shell\\+open\\+command\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)powershell</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\-command</field>
    </rule>
    <rule id="902213" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1574</id>
        </mitre>
        <description>Potential Registry Persistence Attempt Via DbgManagedDebugger</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+\.NETFramework\\+DbgManagedDebugger)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\+Windows\\+system32\\+vsjitdebugger\.exe"\ PID\ %d\ APPDOM\ %d\ EXTEXT\ "%s"\ EVTHDL\ %d)$</field>
    </rule>
    <rule id="902214" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Exclusions Added - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Exclusions</field>
    </rule>
    <rule id="902215" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:NoChangingWallpaper)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902216" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Wallpaper)$</field>
    </rule>
    <rule id="902217" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+WallpaperStyle)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:2)$</field>
    </rule>
    <rule id="902218" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.impact</id>
            <id>attack.t1112</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potentially Suspicious Desktop Background Change Via Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Control\ Panel\\+Desktop|CurrentVersion\\+Policies\\+ActiveDesktop|CurrentVersion\\+Policies\\+System</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+svchost\.exe)$</field>
    </rule>
    <rule id="902219" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Hypervisor Enforced Code Integrity Disabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+DeviceGuard\\+HypervisorEnforcedCodeIntegrity|\\+Control\\+DeviceGuard\\+HypervisorEnforcedCodeIntegrity|\\+Control\\+DeviceGuard\\+Scenarios\\+HypervisorEnforcedCodeIntegrity\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902220" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DHCP Callout DLL Installation</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Services\\+DHCPServer\\+Parameters\\+CalloutDlls|\\+Services\\+DHCPServer\\+Parameters\\+CalloutEnabled)$</field>
    </rule>
    <rule id="902221" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Exploit Guard Network Protection on Windows Defender</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center\\+App\ and\ Browser\ protection\\+DisallowExploitProtectionOverride</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $00000001$)$</field>
    </rule>
    <rule id="902222" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disabled Windows Defender Eventlog</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Windows\ Defender/Operational\\+Enabled</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902223" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable PUA Protection on Windows Defender</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Policies\\+Microsoft\\+Windows\ Defender\\+PUAProtection</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902224" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Tamper Protection on Windows Defender</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ Defender\\+Features\\+TamperProtection</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Windows\ Defender\\+MsMpEng\.exe)$</field>
    </rule>
    <rule id="902225" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.005</id>
        </mitre>
        <description>Disable Administrative Share Creation at Startup</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+LanmanServer\\+Parameters\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AutoShareWks|\\+AutoShareServer)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902226" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential AutoLogger Sessions Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Control\\+WMI\\+Autologger\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+EventLog\-|\\+Defender</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enable|\\+Start)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+wevtutil\.exe)$</field>
    </rule>
    <rule id="902227" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Disable Microsoft Defender Firewall via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+SharedAccess\\+Parameters\\+FirewallPolicy\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EnableFirewall)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902228" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Internal Tools or Feature in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+StartMenuLogOff|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableChangePassword|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableLockWorkstation|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableRegistryTools|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+DisableTaskmgr|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+NoDispBackgroundPage|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+NoDispCPL|SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+Explorer\\+DisableNotificationCenter|SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+System\\+DisableCMD)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902229" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Internal Tools or Feature in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+ConsentPromptBehaviorAdmin|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+shutdownwithoutlogon|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+PushNotifications\\+ToastEnabled|SYSTEM\\+CurrentControlSet\\+Control\\+Storage\\+Write\ Protection|SYSTEM\\+CurrentControlSet\\+Control\\+StorageDevicePolicies\\+WriteProtect)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902230" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Disable Macro Runtime Scan Scope</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Common\\+Security</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+MacroRuntimeScanScope)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902231" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Privacy Settings Experience in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\\+OOBE\\+DisablePrivacyExperience)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902232" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Disable Windows Security Center Notifications</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Windows\\+CurrentVersion\\+ImmersiveShell\\+UseActionCenterExperience)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902233" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>Registry Disable System Restore</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Policies\\+Microsoft\\+Windows\ NT\\+SystemRestore|\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+SystemRestore</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:DisableConfig|DisableSR)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902234" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>Disable UAC Using Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+EnableLUA</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902235" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Windows Defender Service Disabled - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Services\\+WinDefend\\+Start)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000004$)$</field>
    </rule>
    <rule id="902236" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.004</id>
        </mitre>
        <description>Disable Windows Firewall by Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Microsoft\\+WindowsFirewall\\+StandardProfile\\+EnableFirewall|\\+SOFTWARE\\+Policies\\+Microsoft\\+WindowsFirewall\\+DomainProfile\\+EnableFirewall)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902237" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Disable Windows Event Logging Via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+wevtutil\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+winsxs\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-FileInfoMinifilter</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-ASN1\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Kernel\-AppCompat\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Runtime\\+Error\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-CAPI2/Operational\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+servicing\\+TrustedInstaller\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+Microsoft\-Windows\-Compat\-Appraiser</field>
    </rule>
    <rule id="902238" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Disable Windows Event Logging Via Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+WINEVT\\+Channels\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="902239" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Add DisallowRun Execution to Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+DisallowRun)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902240" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via Disk Cleanup Handler - Autorun</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+VolumeCaches\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Autorun</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902241" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via Disk Cleanup Handler - Autorun</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+VolumeCaches\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CleanupString|\\+PreCleanupString</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)cmd|powershell|rundll32|mshta|cscript|wscript|wsl|\\+Users\\+Public\\+|\\+Windows\\+TEMP\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+</field>
    </rule>
    <rule id="902242" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DNS-over-HTTPS Enabled by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Microsoft\\+Edge\\+BuiltInDnsClientEnabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902243" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DNS-over-HTTPS Enabled by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Google\\+Chrome\\+DnsOverHttpsMode)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:secure)$</field>
    </rule>
    <rule id="902244" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1140</id>
            <id>attack.t1112</id>
        </mitre>
        <description>DNS-over-HTTPS Enabled by Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Policies\\+Mozilla\\+Firefox\\+DNSOverHTTPS\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902245" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.002</id>
            <id>attack.t1112</id>
        </mitre>
        <description>New DNS ServerLevelPluginDll Installed</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+services\\+DNS\\+Parameters\\+ServerLevelPluginDll)$</field>
    </rule>
    <rule id="902246" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Sysmon Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+\.NETFramework\\+ETWEnabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902247" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled In .NET Processes - Sysmon Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+COMPlus_ETWEnabled|\\+COMPlus_ETWFlags)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:0|DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902248" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.012</id>
        </mitre>
        <description>Enabling COR Profiler Environment Variables</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+COR_ENABLE_PROFILING|\\+COR_PROFILER|\\+CORECLR_ENABLE_PROFILING)$</field>
    </rule>
    <rule id="902249" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1574.012</id>
        </mitre>
        <description>Enabling COR Profiler Environment Variables</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CORECLR_PROFILER_PATH</field>
    </rule>
    <rule id="902250" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Scripted Diagnostics Turn Off Check Enabled - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Policies\\+Microsoft\\+Windows\\+ScriptedDiagnostics\\+TurnOffCheck)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902251" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.002</id>
        </mitre>
        <description>Potential EventLog File Location Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+Services\\+EventLog\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+File)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+System32\\+Winevt\\+Logs\\+</field>
    </rule>
    <rule id="902252" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Change User Account Associated with the FAX Service</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+System\\+CurrentControlSet\\+Services\\+Fax\\+ObjectName)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)NetworkService</field>
    </rule>
    <rule id="902253" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Change the Fax Dll</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Fax\\+Device\ Providers\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ImageName</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%systemroot%\\+system32\\+fxst30\.dll)$</field>
    </rule>
    <rule id="902254" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>New File Association Using Exefile</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+\.</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:exefile)$</field>
    </rule>
    <rule id="902255" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Add Debugger Entry To Hangs Key For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+Hangs\\+Debugger</field>
    </rule>
    <rule id="902256" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Persistence Via Hhctrl.ocx</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+\{52A2AAAE\-085D\-4187\-97EA\-8C30DB990436\}\\+InprocServer32\\+$Default$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+hhctrl\.ocx)$</field>
    </rule>
    <rule id="902257" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Registry Modification to Hidden File Extension</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+HideFileExt)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902258" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Registry Modification to Hidden File Extension</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+Hidden)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000002$)$</field>
    </rule>
    <rule id="902259" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>Displaying Hidden Files Feature Disabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+ShowSuperHidden|\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+Hidden)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902260" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Hide Function from User</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideClock|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCAHealth|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCANetwork|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCAPower|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+HideSCAVolume)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902261" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Hide Function from User</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+ShowInfoTip|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+Advanced\\+ShowCompColor)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902262" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562</id>
        </mitre>
        <description>Hide Schedule Task Via Index Value Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Index</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902263" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings\\+ZoneMap\\+ProtocolDefaults</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+http|\\+https)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)DWORD\ $0x00000000$</field>
    </rule>
    <rule id="902264" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Uncommon Extension In Keyboard Layout IME File Registry Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Keyboard\ Layouts\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Ime\ File</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.ime)$</field>
    </rule>
    <rule id="902265" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Path In Keyboard Layout IME File Registry Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Keyboard\ Layouts\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Ime\ File</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+AppData\\+Roaming\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="902266" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Suspicious Path In Keyboard Layout IME File Registry Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Keyboard\ Layouts\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Ime\ File</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
    </rule>
    <rule id="902267" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1490</id>
        </mitre>
        <description>New Root or CA or AuthRoot Certificate to Store</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+SystemCertificates\\+Root\\+Certificates\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+SystemCertificates\\+Root\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+EnterpriseCertificates\\+Root\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+SystemCertificates\\+CA\\+Certificates\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+SystemCertificates\\+CA\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+EnterpriseCertificates\\+CA\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+SystemCertificates\\+AuthRoot\\+Certificates\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+SystemCertificates\\+AuthRoot\\+Certificates\\+|\\+SOFTWARE\\+Microsoft\\+EnterpriseCertificates\\+AuthRoot\\+Certificates\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Blob)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:Binary\ Data)$</field>
    </rule>
    <rule id="902268" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Internet Explorer DisableFirstRunCustomize Enabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Internet\ Explorer\\+Main\\+DisableFirstRunCustomize)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$|DWORD\ $0x00000002$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+ie4uinit\.exe)$</field>
    </rule>
    <rule id="902269" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.impact</id>
            <id>attack.t1491.001</id>
        </mitre>
        <description>Potential Ransomware Activity Using LegalNotice Message</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+LegalNoticeCaption|\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+System\\+LegalNoticeText</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)encrypted|Unlock\-Password|paying</field>
    </rule>
    <rule id="902270" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.command_and_control</id>
            <id>attack.t1105</id>
        </mitre>
        <description>Lolbas OneDriveStandaloneUpdater.exe Proxy Download</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+OneDrive\\+UpdateOfficeConfig\\+UpdateRingSettingURLFromOC</field>
    </rule>
    <rule id="902271" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Lsass Full Dump Request Via DumpType Registry Settings</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+LocalDumps\\+DumpType|\\+SOFTWARE\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+LocalDumps\\+lsass\.exe\\+DumpType</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000002$)$</field>
    </rule>
    <rule id="902272" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RestrictedAdminMode Registry Value Tampering</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:System\\+CurrentControlSet\\+Control\\+Lsa\\+DisableRestrictedAdmin)$</field>
    </rule>
    <rule id="902273" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1112</id>
            <id>attack.t1047</id>
        </mitre>
        <description>Blue Mockingbird - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+CurrentControlSet\\+Services\\+wercplsupport\\+Parameters\\+ServiceDll)$</field>
    </rule>
    <rule id="902274" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.007</id>
        </mitre>
        <description>Potential Persistence Via Netsh Helper DLL - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+NetSh</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\.dll</field>
    </rule>
    <rule id="902275" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.007</id>
        </mitre>
        <description>New Netsh Helper DLL Registered From A Suspicious Location</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+NetSh</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Perflogs\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|\\+Temporary\ Internet</field>
    </rule>
    <rule id="902276" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.007</id>
        </mitre>
        <description>New Netsh Helper DLL Registered From A Suspicious Location</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+NetSh</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favorites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Favourites\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Contacts\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+Users\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Pictures\\+</field>
    </rule>
    <rule id="902277" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>NET NGenAssemblyUsageLog Registry Key Tamper</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+\.NETFramework\\+NGenAssemblyUsageLog)$</field>
    </rule>
    <rule id="902278" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1204.002</id>
        </mitre>
        <description>New Application in AppCompat</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+AppCompatFlags\\+Compatibility\ Assistant\\+Store\\+</field>
    </rule>
    <rule id="902279" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.credential_access</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potential Credential Dumping Attempt Using New NetworkProvider - REG</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+NetworkProvider</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+WebClient\\+NetworkProvider</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+LanmanWorkstation\\+NetworkProvider</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+System\\+CurrentControlSet\\+Services\\+RDPNP\\+NetworkProvider</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+poqexec\.exe)$</field>
    </rule>
    <rule id="902280" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>New ODBC Driver Registered</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+ODBC\\+ODBCINST\.INI\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Driver)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SQL\ Server\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%WINDIR%\\+System32\\+SQLSRV32\.dll)$</field>
    </rule>
    <rule id="902281" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>New ODBC Driver Registered</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+ODBC\\+ODBCINST\.INI\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Driver)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\ Access\ )</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Progra)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+ACEODBC\.DLL)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\ Excel\ Driver</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Progra)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\+ACEODBC\.DLL)$</field>
    </rule>
    <rule id="902282" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1003</id>
        </mitre>
        <description>Potentially Suspicious ODBC Driver Registered</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+ODBC\\+ODBCINST\.INI\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Driver|\\+Setup)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+PerfLogs\\+|:\\+ProgramData\\+|:\\+Temp\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Registration\\+CRMLog|:\\+Windows\\+System32\\+com\\+dmp\\+|:\\+Windows\\+System32\\+FxsTmp\\+|:\\+Windows\\+System32\\+Microsoft\\+Crypto\\+RSA\\+MachineKeys\\+|:\\+Windows\\+System32\\+spool\\+drivers\\+color\\+|:\\+Windows\\+System32\\+spool\\+PRINTERS\\+|:\\+Windows\\+System32\\+spool\\+SERVERS\\+|:\\+Windows\\+System32\\+Tasks_Migrated\\+|:\\+Windows\\+System32\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|:\\+Windows\\+SysWOW64\\+com\\+dmp\\+|:\\+Windows\\+SysWOW64\\+FxsTmp\\+|:\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+PLA\\+System\\+|:\\+Windows\\+SysWOW64\\+Tasks\\+Microsoft\\+Windows\\+SyncCenter\\+|:\\+Windows\\+Tasks\\+|:\\+Windows\\+Temp\\+|:\\+Windows\\+Tracing\\+|\\+AppData\\+Local\\+Temp\\+|\\+AppData\\+Roaming\\+</field>
    </rule>
    <rule id="902283" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Trust Access Disable For VBApplications</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Security\\+AccessVBOM)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902284" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Office Protected View Disabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Security\\+ProtectedView\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DisableAttachementsInPV|\\+DisableInternetFilesInPV|\\+DisableIntranetCheck|\\+DisableUnsafeLocationsInPV)$</field>
    </rule>
    <rule id="902285" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Microsoft Office Protected View Disabled</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Security\\+ProtectedView\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+enabledatabasefileprotectedview|\\+enableforeigntextfileprotectedview)$</field>
    </rule>
    <rule id="902286" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.002</id>
        </mitre>
        <description>Enable Microsoft Dynamic Data Exchange</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Word\\+Security\\+AllowDDE)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$|DWORD\ $0x00000002$)$</field>
    </rule>
    <rule id="902287" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1559.002</id>
        </mitre>
        <description>Enable Microsoft Dynamic Data Exchange</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Excel\\+Security\\+DisableDDEServerLaunch|\\+Excel\\+Security\\+DisableDDEServerLookup)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902288" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Outlook\\+LoadMacroProviderOnBoot)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)0x00000001</field>
    </rule>
    <rule id="902289" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.command_and_control</id>
            <id>attack.t1137</id>
            <id>attack.t1008</id>
            <id>attack.t1546</id>
        </mitre>
        <description>Outlook Macro Execution Without Warning Setting Enabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Outlook\\+Security\\+Level)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)0x00000001</field>
    </rule>
    <rule id="902290" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Outlook EnableUnsafeClientMailRules Setting Enabled - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Outlook\\+Security\\+EnableUnsafeClientMailRules)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902291" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137</id>
        </mitre>
        <description>Outlook Security Settings Updated - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Security\\+</field>
    </rule>
    <rule id="902292" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Uncommon Microsoft Office Trusted Location Added</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Security\\+Trusted\ Locations\\+Location</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Path)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+</field>
    </rule>
    <rule id="902293" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Uncommon Microsoft Office Trusted Location Added</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Security\\+Trusted\ Locations\\+Location</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Path)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%APPDATA%\\+Microsoft\\+Templates</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%APPDATA%%\\+Microsoft\\+Templates</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%APPDATA%\\+Microsoft\\+Word\\+Startup</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%APPDATA%%\\+Microsoft\\+Word\\+Startup</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+Templates\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\ $x86$\\+Templates</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+root\\+Templates\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Microsoft\ Office\\+Templates\\+</field>
    </rule>
    <rule id="902294" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Office Macros Warning Disabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Security\\+VBAWarnings)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902295" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1070.005</id>
        </mitre>
        <description>MaxMpxCt Registry Value Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Services\\+LanmanServer\\+Parameters\\+MaxMpxCt)$</field>
    </rule>
    <rule id="902296" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Using DebugPath</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Classes\\+ActivatableClasses\\+Package\\+Microsoft\.</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DebugPath)$</field>
    </rule>
    <rule id="902297" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Using DebugPath</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+PackagedAppXDebug\\+Microsoft\.</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+$Default$)$</field>
    </rule>
    <rule id="902298" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Persistence Via AppCompat RegisterAppRestart Layer</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Layers\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)REGISTERAPPRESTART</field>
    </rule>
    <rule id="902299" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.012</id>
        </mitre>
        <description>Potential Persistence Via App Paths Default Property</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+App\ Paths</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:$Default$|Path)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+Users\\+Public|\\+AppData\\+Local\\+Temp\\+|\\+Windows\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|%temp%|%tmp%|iex|Invoke\-|rundll32|regsvr32|mshta|cscript|wscript|\.bat|\.hta|\.dll|\.ps1</field>
    </rule>
    <rule id="902300" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via AutodialDLL</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+WinSock2\\+Parameters\\+AutodialDLL</field>
    </rule>
    <rule id="902301" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via CHM Helper DLL</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+HtmlHelp\ Author\\+Location|\\+Software\\+WOW6432Node\\+Microsoft\\+HtmlHelp\ Author\\+Location</field>
    </rule>
    <rule id="902302" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential PSFactoryBuffer COM Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+CLSID\\+\{c90250f3\-4d7d\-4991\-9b69\-a5c5bc1c2ae6\}\\+InProcServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%windir%\\+System32\\+ActXPrxy\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+ActXPrxy\.dll)$</field>
    </rule>
    <rule id="902303" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Via COM Hijacking From Suspicious Locations</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+InprocServer32\\+$Default$|\\+LocalServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Desktop\\+|\\+Downloads\\+|\\+Microsoft\\+Windows\\+Start\ Menu\\+Programs\\+Startup\\+|\\+System32\\+spool\\+drivers\\+color\\+|\\+Users\\+Public\\+|\\+Windows\\+Temp\\+|%appdata%|%temp%|%tmp%</field>
    </rule>
    <rule id="902304" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Custom Protocol Handler</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKCR\\+)</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:URL:)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:URL:ms\-)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+)</field>
    </rule>
    <rule id="902305" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Event Viewer Events.asp</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionProgram|\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionURL</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionProgram)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%%SystemRoot%%\\+PCHealth\\+HelpCtr\\+Binaries\\+HelpCtr\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Event\ Viewer\\+MicrosoftRedirectionProgramCommandLineParameters)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\-url\ hcp://services/centers/support.topic=%%s)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:http://go\.microsoft\.com/fwlink/events\.asp)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
    </rule>
    <rule id="902306" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1546.012</id>
            <id>car.2013-01-002</id>
        </mitre>
        <description>Potential Persistence Via GlobalFlags</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Image\ File\ Execution\ Options\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+GlobalFlag</field>
    </rule>
    <rule id="902307" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1546.012</id>
            <id>car.2013-01-002</id>
        </mitre>
        <description>Potential Persistence Via GlobalFlags</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SilentProcessExit\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+ReportingMode|\\+MonitorProcess</field>
    </rule>
    <rule id="902308" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Modification of IE Registry Settings</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Internet\ Settings</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:DWORD)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:Cookie:)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:Visited:)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Cache</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+ZoneMap</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+WpadDecision</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:Binary\ Data)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Accepted\ Documents\\+</field>
    </rule>
    <rule id="902309" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Register New IFiltre For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Classes\\+\.</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PersistentHandler</field>
    </rule>
    <rule id="902310" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Register New IFiltre For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Classes\\+CLSID</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PersistentAddinsRegistered\\+\{89BCB740\-6119\-101A\-BCB7\-00DD010655AF\}</field>
    </rule>
    <rule id="902311" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Register New IFiltre For Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{4F46F75F\-199F\-4C63\-8B7D\-86D48FE7970C\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{4887767F\-7ADC\-4983\-B576\-88FB643D6F79\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{D3B41FA1\-01E3\-49AF\-AA25\-1D0D824275AE\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{72773E1A\-B711\-4d8d\-81FA\-B9A43B0650DD\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{098f2470\-bae0\-11cd\-b579\-08002b30bfeb\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{1AA9BF05\-9A97\-48c1\-BA28\-D9DCE795E93C\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{2e2294a9\-50d7\-4fe7\-a09f\-e6492e185884\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{34CEAC8D\-CBC0\-4f77\-B7B1\-8A60CB6DA0F7\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{3B224B11\-9363\-407e\-850F\-C9E1FFACD8FB\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{3DDEB7A4\-8ABF\-4D82\-B9EE\-E1F4552E95BE\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{5645C8C1\-E277\-11CF\-8FDA\-00AA00A14F93\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{5645C8C4\-E277\-11CF\-8FDA\-00AA00A14F93\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{58A9EBF6\-5755\-4554\-A67E\-A2467AD1447B\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{5e941d80\-bf96\-11cd\-b579\-08002b30bfeb\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{698A4FFC\-63A3\-4E70\-8F00\-376AD29363FB\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{7E9D8D44\-6926\-426F\-AA2B\-217A819A5CCE\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{8CD34779\-9F10\-4f9b\-ADFB\-B3FAEABDAB5A\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{9694E38A\-E081\-46ac\-99A0\-8743C909ACB6\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{98de59a0\-d175\-11cd\-a7bd\-00006b827d94\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{AA10385A\-F5AA\-4EFF\-B3DF\-71B701E25E18\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{B4132098\-7A03\-423D\-9463\-163CB07C151F\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{d044309b\-5da6\-4633\-b085\-4ed02522e5a5\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{D169C14A\-5148\-4322\-92C8\-754FC9D018D8\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{DD75716E\-B42E\-4978\-BB60\-1497B92E30C4\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{E2F83EED\-62DE\-4A9F\-9CD0\-A1D40DCD13B6\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{E772CEB3\-E203\-4828\-ADF1\-765713D981B8\}\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{eec97550\-47a9\-11cf\-b952\-00aa0051fe20\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CLSID\\+\{FB10BD80\-A331\-4e9e\-9EB7\-00279903AD99\}\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+)</field>
    </rule>
    <rule id="902312" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via LSA Extensions</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SYSTEM\\+CurrentControlSet\\+Control\\+LsaExtensionConfig\\+LsaSrv\\+Extensions</field>
    </rule>
    <rule id="902313" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Mpnotify</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+mpnotify</field>
    </rule>
    <rule id="902314" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via MyComputer Registry Keys</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+MyComputer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:$Default$)$</field>
    </rule>
    <rule id="902315" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1137.006</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via Visual Studio Tools for Office</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Office\\+Outlook\\+Addins\\+|\\+Software\\+Microsoft\\+Office\\+Word\\+Addins\\+|\\+Software\\+Microsoft\\+Office\\+Excel\\+Addins\\+|\\+Software\\+Microsoft\\+Office\\+Powerpoint\\+Addins\\+|\\+Software\\+Microsoft\\+VSTO\\+Security\\+Inclusion\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+excel\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+winword\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+visio\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+Teams\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+AVG\\+Antivirus\\+RegSvr\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Office\\+Outlook\\+Addins\\+Antivirus\.AsOutExt\\+</field>
    </rule>
    <rule id="902316" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Outlook Today Pages</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Today\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Stamp)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902317" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Outlook Today Pages</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Today\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:UserDefinedUrl)$</field>
    </rule>
    <rule id="902318" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Potential Persistence Via Outlook Today Pages</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Outlook\\+Today\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+Updates\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
    </rule>
    <rule id="902319" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential WerFault ReflectDebugger Registry Value Abuse</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+Windows\ Error\ Reporting\\+Hangs\\+ReflectDebugger)$</field>
    </rule>
    <rule id="902320" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Via Scrobj.dll COM Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:InprocServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+scrobj\.dll)$</field>
    </rule>
    <rule id="902321" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>Potential Persistence Via COM Search Order Hijacking</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CLSID\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+InprocServer32\\+$Default$)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%systemroot%%\\+system32\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)%%systemroot%%\\+SysWow64\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+OneDrive\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileCoAuthLib64\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileSyncShell64\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileSyncApi64\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+system32\\+SecurityHealthService\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Local\\+Microsoft\\+TeamsMeetingAddin\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Microsoft\.Teams\.AddinLoader\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+AppData\\+Roaming\\+Dropbox\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+DropboxExt64\..+\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:TmopIEPlg\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+system32\\+wuauclt\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+Windows\ Defender\\+Platform\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MsMpEng\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+FileRepository\\+nvmdi\.inf</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+MicrosoftEdgeUpdateComRegisterShell64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+WINDOWS\\+SYSTEM32\\+dxdiag\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+pyshellext\.amd64\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+pyshellext\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+dnssdX\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+SysWOW64\\+dnssdX\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+spool\\+drivers\\+x64\\+3\\+PrintConfig\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Program\ Files\ $x86$\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+ProgramData\\+Microsoft\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+WINDOWS\\+system32\\+GamingServicesProxy\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+Autopilot\.dll</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+system32\\+SecurityHealthService\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+SecurityHealth</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?::\\+Windows\\+System32\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+InProcServer32\\+$Default$)$</field>
    </rule>
    <rule id="902322" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Persistence Via Shim Database Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+InstalledSDB\\+|\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Custom\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:)$</field>
    </rule>
    <rule id="902323" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Suspicious Shim Database Patching Activity</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Custom\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+csrss\.exe|\\+dllhost\.exe|\\+explorer\.exe|\\+RuntimeBroker\.exe|\\+services\.exe|\\+sihost\.exe|\\+svchost\.exe|\\+taskhostw\.exe|\\+winlogon\.exe|\\+WmiPrvSe\.exe)$</field>
    </rule>
    <rule id="902324" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.011</id>
        </mitre>
        <description>Potential Persistence Via Shim Database In Uncommon Location</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+InstalledSDB\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+DatabasePath</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i):\\+Windows\\+AppPatch\\+Custom</field>
    </rule>
    <rule id="902325" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential Persistence Via TypedPaths</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+TypedPaths\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+explorer\.exe)$</field>
    </rule>
    <rule id="902326" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1137.006</id>
        </mitre>
        <description>Potential Persistence Via Excel Add-in - Registry</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Office\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Excel\\+Options)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:/R\ )</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.xll)$</field>
    </rule>
    <rule id="902327" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Associations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Associations\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DefaultFileTypeRisk)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00006152$)$</field>
    </rule>
    <rule id="902328" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Associations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Associations\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+LowRiskFileTypes)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\.zip;|\.rar;|\.exe;|\.bat;|\.com;|\.cmd;|\.reg;|\.msi;|\.htm;|\.html;</field>
    </rule>
    <rule id="902329" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Attachments Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Attachments\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+HideZoneInfoOnProperties)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902330" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Attachments Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Attachments\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SaveZoneInformation)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000002$)$</field>
    </rule>
    <rule id="902331" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Attachment Manager Settings Attachments Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Attachments\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ScanWithAntiVirus)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902332" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1569.002</id>
        </mitre>
        <description>PowerShell as a Service in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ImagePath)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)powershell|pwsh</field>
    </rule>
    <rule id="902333" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
        </mitre>
        <description>PowerShell Script Execution Policy Enabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Policies\\+Microsoft\\+Windows\\+PowerShell\\+EnableScripts)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902334" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential PowerShell Execution Policy Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ShellIds\\+Microsoft\.PowerShell\\+ExecutionPolicy|\\+Policies\\+Microsoft\\+Windows\\+PowerShell\\+ExecutionPolicy)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)Bypass|Unrestricted</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i):\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="902335" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Suspicious Powershell In Registry Run Keys</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:powershell|pwsh\ |FromBase64String|\.DownloadFile\(|\.DownloadString\(|\ \-w\ hidden\ |\ \-w\ 1\ |\-windowstyle\ hidden|\-window\ hidden|\ \-nop\ |\ \-encodedcommand\ |\-ExecutionPolicy\ Bypass|Invoke\-Expression|IEX\ \(|Invoke\-Command|ICM\ \-|Invoke\-WebRequest|IWR\ |\ \-noni\ |\ \-noninteractive\ )</field>
    </rule>
    <rule id="902336" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.001</id>
        </mitre>
        <description>PowerShell Logging Disabled Via Registry Key Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+PowerShell\\+|\\+Microsoft\\+PowerShellCore\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+ModuleLogging\\+EnableModuleLogging|\\+ScriptBlockLogging\\+EnableScriptBlockLogging|\\+ScriptBlockLogging\\+EnableScriptBlockInvocationLogging|\\+Transcription\\+EnableTranscripting|\\+Transcription\\+EnableInvocationHeader|\\+EnableScripts)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902337" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Provisioning\\+Commands\\+</field>
    </rule>
    <rule id="902338" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Usage of Renamed Sysinternals Tools - RegistrySet</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PsExec|\\+ProcDump|\\+Handle|\\+LiveKd|\\+Process\ Explorer|\\+PsLoglist|\\+PsPasswd|\\+Active\ Directory\ Explorer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+PsExec64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procdump64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+livekd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+psloglist64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+pspasswd64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ADExplorer64\.exe)$</field>
    </rule>
    <rule id="902339" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Usage of Renamed Sysinternals Tools - RegistrySet</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+PsExec|\\+ProcDump|\\+Handle|\\+LiveKd|\\+Process\ Explorer|\\+PsLoglist|\\+PsPasswd|\\+Active\ Directory\ Explorer</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+EulaAccepted)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:None)$</field>
    </rule>
    <rule id="902340" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled For rpcrt4.dll</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+Rpc\\+ExtErrorInformation)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$|DWORD\ $0x00000002$)$</field>
    </rule>
    <rule id="902341" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
        </mitre>
        <description>ScreenSaver Registry Key Set</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+rundll32\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\ Panel\\+Desktop\\+SCRNSAVE\.EXE</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.scr)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+System32\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+SysWOW64\\+</field>
    </rule>
    <rule id="902342" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
        </mitre>
        <description>Potential SentinelOne Shell Context Menu Scan Command Tampering</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+shell\\+SentinelOneScan\\+command\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+SentinelOne\\+Sentinel\ Agent)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+SentinelOne\\+Sentinel\ Agent)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+SentinelScanFromContextMenu\.exe</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\\+SentinelOne\\+)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:C:\\+Program\ Files\ $x86$\\+SentinelOne\\+)$</field>
    </rule>
    <rule id="902343" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>ServiceDll Hijack</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Parameters\\+ServiceDll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+spool\\+drivers\\+x64\\+3\\+PrintConfig\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+lsass\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\+Services\\+NTDS\\+Parameters\\+ServiceDll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%%systemroot%%\\+system32\\+ntdsa\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+poqexec\.exe)$</field>
    </rule>
    <rule id="902344" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1543.003</id>
        </mitre>
        <description>ServiceDll Hijack</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+System\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)ControlSet</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Parameters\\+ServiceDll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+regsvr32\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+STAgent\.dll)$</field>
    </rule>
    <rule id="902345" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
            <id>attack.t1562</id>
        </mitre>
        <description>ETW Logging Disabled For SCM</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Tracing\\+SCM\\+Regular\\+TracingDisabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902346" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Registry Explorer Policy Modification</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoLogOff|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoDesktop|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoRun|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoFind|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoControlPanel|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoFileMenu|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoClose|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoSetTaskbar|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoPropertiesMyDocuments|SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+NoTrayContextMenu)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902347" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1553.003</id>
        </mitre>
        <description>Persistence Via New SIP Provider</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Cryptography\\+Providers\\+|\\+SOFTWARE\\+Microsoft\\+Cryptography\\+OID\\+EncodingType|\\+SOFTWARE\\+WOW6432Node\\+Microsoft\\+Cryptography\\+Providers\\+|\\+SOFTWARE\\+WOW6432Node\\+Microsoft\\+Cryptography\\+OID\\+EncodingType</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Dll|\\+\$DLL</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:WINTRUST\.DLL)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:mso\.dll)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+poqexec\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CryptSIPDll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+PsfSip\.dll)$</field>
    </rule>
    <rule id="902348" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Tamper With Sophos AV Registry Keys</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Sophos\ Endpoint\ Defense\\+TamperProtection\\+Config\\+SAVEnabled|\\+Sophos\ Endpoint\ Defense\\+TamperProtection\\+Config\\+SEDEnabled|\\+Sophos\\+SAVService\\+TamperProtection\\+Enabled</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902349" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564.002</id>
        </mitre>
        <description>Hiding User Account Via SpecialAccounts Registry Key</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+SpecialAccounts\\+UserList</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902350" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Activate Suppression of Windows Security Center Notifications</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+UX\ Configuration\\+Notification_Suppress)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902351" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.resource_development</id>
            <id>attack.t1588.002</id>
        </mitre>
        <description>Suspicious Keyboard Layout Load</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Keyboard\ Layout\\+Preload\\+|\\+Keyboard\ Layout\\+Substitutes\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)429|50429|0000042a</field>
    </rule>
    <rule id="902352" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential PendingFileRenameOperations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Session\ Manager\\+PendingFileRenameOperations</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)\\+AppData\\+Local\\+Temp\\+|\\+Users\\+Public\\+</field>
    </rule>
    <rule id="902353" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1036.003</id>
        </mitre>
        <description>Potential PendingFileRenameOperations Tamper</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.eventType" negate="no" type="pcre2">(?i)^(?:SetValue)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+CurrentControlSet\\+Control\\+Session\ Manager\\+PendingFileRenameOperations</field>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+reg\.exe|\\+regedit\.exe)$</field>
    </rule>
    <rule id="902354" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.privilege_escalation</id>
            <id>attack.t1574</id>
            <id>cve.2021.1675</id>
        </mitre>
        <description>Suspicious Printer Driver Empty Manufacturer</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Print\\+Environments\\+Windows\ x64\\+Drivers</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Manufacturer</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:$Empty$)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+CutePDF\ Writer\ v4\.0\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+VNC\ Printer\ $PS$\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+VNC\ Printer\ $UD$\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Version\-3\\+PDF24\\+</field>
    </rule>
    <rule id="902355" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Registry Persistence via Explorer Run Key</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\\+CurrentVersion\\+Policies\\+Explorer\\+Run)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+\$Recycle\.bin\\+|:\\+ProgramData\\+|:\\+Temp\\+|:\\+Users\\+Default\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+</field>
    </rule>
    <rule id="902356" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>New RUN Key Pointing to Suspicious Folder</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Run\\+|\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+RunOnce\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i):\\+\$Recycle\.bin\\+|:\\+Temp\\+|:\\+Users\\+Default\\+|:\\+Users\\+Desktop\\+|:\\+Users\\+Public\\+|:\\+Windows\\+Temp\\+|\\+AppData\\+Local\\+Temp\\+|%temp%\\+|%tmp%\\+</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:%Public%\\+|wscript|cscript)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SoftwareDistribution\\+Download\\+)</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)rundll32\.exe\ C:\\+WINDOWS\\+system32\\+advpack\.dll,DelNodeRunDLL32</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)C:\\+Windows\\+Temp\\+</field>
    </rule>
    <rule id="902357" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.t1562.001</id>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Suspicious Service Installed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:HKLM\\+System\\+CurrentControlSet\\+Services\\+NalDrv\\+ImagePath|HKLM\\+System\\+CurrentControlSet\\+Services\\+PROCEXP152\\+ImagePath)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procexp\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon64\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+procmon\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+handle64\.exe)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+WINDOWS\\+system32\\+Drivers\\+PROCEXP152\.SYS</field>
    </rule>
    <rule id="902358" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>Modify User Shell Folders Startup Value</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Explorer\\+User\ Shell\ Folders</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Startup)$</field>
    </rule>
    <rule id="902359" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Enable LM Hash Storage</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:System\\+CurrentControlSet\\+Control\\+Lsa\\+NoLMHash)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902360" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Scheduled TaskCache Change by Uncommon Program</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Microsoft\\+Windows\\+UpdateOrchestrator</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Microsoft\\+Windows\\+SoftwareProtectionPlatform\\+SvcRestartTask\\+Index</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Microsoft\\+Windows\\+Flighting\\+OneSettings\\+RefreshCache\\+Index</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+TiWorker\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+WINDOWS\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+Microsoft\.NET\\+Framework)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+ngen\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tasks\\+\{B66B135D\-DA06\-4FC4\-95F8\-7458E1D10129\}</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+Microsoft\\+Windows\\+\.NET\ Framework\\+\.NET\ Framework\ NGEN</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Microsoft\ Office\\+root\\+Integration\\+Integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+Integration\\+Integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+System32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Dropbox\\+Update\\+DropboxUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Dropbox\\+Update\\+DropboxUpdate\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+explorer\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Schedule\\+TaskCache\\+Tree\\+Microsoft\\+Windows\\+PLA\\+Server\ Manager\ Performance\ Monitor\\+</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:System)$</field>
    </rule>
    <rule id="902361" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1053.005</id>
        </mitre>
        <description>Potential Registry Persistence Attempt Via Windows Telemetry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+TelemetryController\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Command)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)\.bat|\.bin|\.cmd|\.dat|\.dll|\.exe|\.hta|\.jar|\.js|\.msi|\.ps|\.sh|\.vb</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+system32\\+CompatTelRunner\.exe</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+system32\\+DeviceCensus\.exe</field>
    </rule>
    <rule id="902362" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed to Zero</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+fDenyTSConnections|\\+fSingleSessionPerUser|\\+UserAuthentication)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902363" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Terminal\ Server\\+|\\+Windows\ NT\\+Terminal\ Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Shadow)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$|DWORD\ $0x00000002$|DWORD\ $0x00000003$|DWORD\ $0x00000004$)$</field>
    </rule>
    <rule id="902364" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Terminal\ Server\\+|\\+Windows\ NT\\+Terminal\ Services\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DisableRemoteDesktopAntiAlias|\\+DisableSecuritySettings|\\+fAllowUnsolicited|\\+fAllowUnsolicitedFullControl)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902365" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
            <id>attack.t1112</id>
        </mitre>
        <description>RDP Sensitive Settings Changed</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+Terminal\ Server\\+InitialProgram|\\+Control\\+Terminal\ Server\\+WinStations\\+RDP\-Tcp\\+InitialProgram|\\+services\\+TermService\\+Parameters\\+ServiceDll|\\+Windows\ NT\\+Terminal\ Services\\+InitialProgram</field>
    </rule>
    <rule id="902366" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1547.003</id>
        </mitre>
        <description>New TimeProviders Registered With Uncommon DLL Name</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Services\\+W32Time\\+TimeProviders</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DllName)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%SystemRoot%\\+System32\\+vmictimeprovider\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%systemroot%\\+system32\\+w32time\.dll)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SYSTEM32\\+w32time\.DLL)$</field>
    </rule>
    <rule id="902367" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Old TLS1.0/TLS1.1 Protocol Version Enabled</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Control\\+SecurityProviders\\+SCHANNEL\\+Protocols\\+TLS\ 1\.0\\+|\\+Control\\+SecurityProviders\\+SCHANNEL\\+Protocols\\+TLS\ 1\.1\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Enabled)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902368" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.015</id>
        </mitre>
        <description>COM Hijacking via TreatAs</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:TreatAs\\+$Default$)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\\+Common\ Files\\+Microsoft\ Shared\\+ClickToRun\\+)</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+OfficeClickToRun\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Program\ Files\ $x86$\\+Microsoft\ Office\\+root\\+integration\\+integrator\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+svchost\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+system32\\+msiexec\.exe)$</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\+Windows\\+SysWOW64\\+msiexec\.exe)$</field>
    </rule>
    <rule id="902369" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Potential Signing Bypass Via Windows Developer Features - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Microsoft\\+Windows\\+CurrentVersion\\+AppModelUnlock|\\+Policies\\+Microsoft\\+Windows\\+Appx\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AllowAllTrustedApps|\\+AllowDevelopmentWithoutDevLicense)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902370" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>UAC Bypass via Event Viewer</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+mscfile\\+shell\\+open\\+command)$</field>
    </rule>
    <rule id="902371" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>UAC Bypass via Sdclt</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Classes\\+exefile\\+shell\\+runas\\+command\\+isolatedCommand)$</field>
    </rule>
    <rule id="902372" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
            <id>car.2019-04-001</id>
        </mitre>
        <description>UAC Bypass via Sdclt</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:Software\\+Classes\\+Folder\\+shell\\+open\\+command\\+SymbolicLinkValue)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)-1[0-9]{3}\\+Software\\+Classes\\+</field>
    </rule>
    <rule id="902373" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Abusing Winsat Path Parsing - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+Root\\+InventoryApplicationFile\\+winsat\.exe\|</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+LowerCaseLongPath)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:c:\\+users\\+)</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\\+appdata\\+local\\+temp\\+system32\\+winsat\.exe)$</field>
    </rule>
    <rule id="902374" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1548.002</id>
        </mitre>
        <description>UAC Bypass Using Windows Media Player - Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+AppCompatFlags\\+Compatibility\ Assistant\\+Store\\+C:\\+Program\ Files\\+Windows\ Media\ Player\\+osk\.exe)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:Binary\ Data)$</field>
    </rule>
    <rule id="902375" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.001</id>
        </mitre>
        <description>VBScript Payload Stored in Registry</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)Software\\+Microsoft\\+Windows\\+CurrentVersion</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)vbscript:|jscript:|mshtml,|RunHTMLApplication|Execute\(|CreateObject|window\.close</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)Software\\+Microsoft\\+Windows\\+CurrentVersion\\+Run</field>
        <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\+msiexec\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\\+CurrentVersion\\+Installer\\+UserData\\+</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)\\+Microsoft\.NET\\+Primary\ Interop\ Assemblies\\+Microsoft\.mshtml\.dll</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)&lt;\\+Microsoft\.mshtml,fileVersion=</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)_mshtml_dll_</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)&lt;\\+Microsoft\.mshtml,culture=</field>
    </rule>
    <rule id="902376" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218</id>
        </mitre>
        <description>Execution DLL of Choice Using WAB.EXE</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Software\\+Microsoft\\+WAB\\+DLLPath)$</field>
        <field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:%CommonProgramFiles%\\+System\\+wab32\.dll)$</field>
    </rule>
    <rule id="902377" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Wdigest Enable UseLogonCredential</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:WDigest\\+UseLogonCredential)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902378" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender Functionalities Via Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+DisableAntiSpyware|\\+DisableAntiVirus|\\+Real\-Time\ Protection\\+DisableBehaviorMonitoring|\\+Real\-Time\ Protection\\+DisableIntrusionPreventionSystem|\\+Real\-Time\ Protection\\+DisableIOAVProtection|\\+Real\-Time\ Protection\\+DisableOnAccessProtection|\\+Real\-Time\ Protection\\+DisableRealtimeMonitoring|\\+Real\-Time\ Protection\\+DisableScanOnRealtimeEnable|\\+Real\-Time\ Protection\\+DisableScriptScanning|\\+Reporting\\+DisableEnhancedNotifications|\\+SpyNet\\+DisableBlockAtFirstSeen)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902379" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1562.001</id>
        </mitre>
        <description>Disable Windows Defender Functionalities Via Registry Keys</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)\\+SOFTWARE\\+Microsoft\\+Windows\ Defender\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\ Security\ Center\\+|\\+SOFTWARE\\+Policies\\+Microsoft\\+Windows\ Defender\\+</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+App\ and\ Browser\ protection\\+DisallowExploitProtectionOverride|\\+Features\\+TamperProtection|\\+MpEngine\\+MpEnablePus|\\+PUAProtection|\\+Signature\ Update\\+ForceUpdateFromMU|\\+SpyNet\\+SpynetReporting|\\+SpyNet\\+SubmitSamplesConsent|\\+Windows\ Defender\ Exploit\ Guard\\+Controlled\ Folder\ Access\\+EnableControlledFolderAccess)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000000$)$</field>
    </rule>
    <rule id="902380" level="7">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Winget Admin Settings Modification</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\+winget\.exe)$</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)^(?:\\+REGISTRY\\+A\\+)</field>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+LocalState\\+admin_settings)$</field>
    </rule>
    <rule id="902381" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.persistence</id>
        </mitre>
        <description>Enable Local Manifest Installation With Winget</description>
        <options>no_full_log</options>
        <group>windows,registry_set,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+AppInstaller\\+EnableLocalManifestFiles)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)^(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902382" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.defense_evasion</id>
            <id>attack.t1112</id>
        </mitre>
        <description>Winlogon AllowMultipleTSSessions Enable</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+AllowMultipleTSSessions)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:DWORD\ $0x00000001$)$</field>
    </rule>
    <rule id="902383" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1547.004</id>
        </mitre>
        <description>Winlogon Notify Key Logon Persistence</description>
        <options>no_full_log</options>
        <group>registry_set,windows,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(?:\\+SOFTWARE\\+Microsoft\\+Windows\ NT\\+CurrentVersion\\+Winlogon\\+Notify\\+logon)$</field>
        <field name="win.eventdata.details" negate="no" type="pcre2">(?i)(?:\.dll)$</field>
    </rule>
    <rule id="902384" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon Configuration Change</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:16)$</field>
    </rule>
    <rule id="902385" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Error</description>
        <options>no_full_log</options>
        <group>windows,sysmon_error,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.description" negate="no" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error|Failed\ to\ connect\ to\ the\ driver\ to\ update\ configuration</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Last\ error:\ The\ media\ is\ write\ protected\.</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error\ 19</field>
        <field name="win.eventdata.description" negate="yes" type="pcre2">(?i)Failed\ to\ open\ service\ configuration\ with\ error\ 93</field>
    </rule>
    <rule id="902386" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Modification</description>
        <options>no_full_log</options>
        <group>windows,sysmon_status,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:Stopped)</field>
    </rule>
    <rule id="902387" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Modification</description>
        <options>no_full_log</options>
        <group>windows,sysmon_status,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="no" type="pcre2">(?i)(?:Sysmon\ config\ state\ changed)</field>
    </rule>
    <rule id="902388" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1564</id>
        </mitre>
        <description>Sysmon Configuration Modification</description>
        <options>no_full_log</options>
        <group>windows,sysmon_status,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="full_log" negate="yes" type="pcre2">(?i)(?:Started)</field>
    </rule>
    <rule id="902389" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_executable.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon Blocked Executable</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:27)$</field>
    </rule>
    <rule id="902390" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_shredding.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon Blocked File Shredding</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:28)$</field>
    </rule>
    <rule id="902391" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.defense_evasion</id>
        </mitre>
        <description>Sysmon File Executable Creation Detected</description>
        <options>no_full_log</options>
        <group>windows,sysmon,</group>
        <if_sid>184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:29)$</field>
    </rule>
    <rule id="902392" level="10">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>WMI Event Subscription</description>
        <options>no_full_log</options>
        <group>windows,wmi_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">(?i)^(?:19|20|21)$</field>
    </rule>
    <rule id="902393" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1047</id>
            <id>attack.persistence</id>
            <id>attack.t1546.003</id>
        </mitre>
        <description>Suspicious Encoded Scripts in a WMI Consumer</description>
        <options>no_full_log</options>
        <group>windows,wmi_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destination" negate="no" type="pcre2">WriteProcessMemory|This\ program\ cannot\ be\ run\ in\ DOS\ mode|This\ program\ must\ be\ run\ under\ Win32</field>
    </rule>
    <rule id="902394" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml</info>
        
        
        
        
        
        <mitre>
            <id>attack.execution</id>
            <id>attack.t1059.005</id>
        </mitre>
        <description>Suspicious Scripting in a WMI Consumer</description>
        <options>no_full_log</options>
        <group>windows,wmi_event,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)net\.webclient</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)\.downloadstring</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)new\-object</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)net\.webclient</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)\.downloadfile</field>
        <field name="win.eventdata.destination" negate="no" type="pcre2">(?i)\ iex\(|\ \-nop\ |\ \-noprofile\ |\ \-decode\ |\ \-enc\ |WScript\.Shell|System\.Security\.Cryptography\.FromBase64Transform</field>
    </rule>
</group>